BUG OF THE MONTH | Dangerous optimization (a vulnerability)
V597 The compiler could delete the ‘memset’ function call, which is used to flush ‘passwd_buf’ buffer. The memset_s() function should be used to erase the private data. challenge.c 366
/** * Crypt a given password using schema required for NTLMv1 authentication * @param passwd clear text domain password * @param challenge challenge data given by server * @param flags NTLM flags from server side * @param answer buffer where to store crypted password */ void tds_answer_challenge(....) { #define MAX_PW_SZ 14 .... if (ntlm_v == 1) { .... /* with security is best be pedantic */ memset(hash, 0, sizeof(hash)); memset(passwd_buf, 0, sizeof(passwd_buf)); memset(ntlm2_challenge, 0, sizeof(ntlm2_challenge)); } else { .... } }
As you have already guessed, the title of this section is taken from the funny comment about security.
In brief, the compiler will delete the memset function because the buffers supposed to be cleared are no longer used. As a result, such data as hash or passwd_buf won’t be erased. This non-obvious feature of the compiler is discussed in more detail in the article “Safe Clearing of Private Data“.
Please click here to see more bugs from this project.