NCBI Genome Workbench

firstscreen_still

Dangerous optimization (a vulnerability)

V597 The compiler could delete the ‘memset’ function call, which is used to flush ‘passwd_buf’ buffer. The memset_s() function should be used to erase the private data. challenge.c 366

/**
 * Crypt a given password using schema required for NTLMv1 authentication
 * @param passwd clear text domain password
 * @param challenge challenge data given by server
 * @param flags NTLM flags from server side
 * @param answer buffer where to store crypted password
 */
void
tds_answer_challenge(....)
{
#define MAX_PW_SZ 14
  ....
  if (ntlm_v == 1) {
    ....
    /* with security is best be pedantic */
    memset(hash, 0, sizeof(hash));
    memset(passwd_buf, 0, sizeof(passwd_buf));
    memset(ntlm2_challenge, 0, sizeof(ntlm2_challenge));
  } else {
    ....
  }
}

As you have already guessed, the title of this section is taken from the funny comment about security.

In brief, the compiler will delete the memset function because the buffers supposed to be cleared are no longer used. As a result, such data as hash or passwd_buf won’t be erased. This non-obvious feature of the compiler is discussed in more detail in the article “Safe Clearing of Private Data“.

Please click here to see more bugs from this project.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.