rpc: securely erase the message buffers

While only a couple of the message types include sensitive data,
the overhead of calling secure erase is not noticable enough
to worry about making the erasure selective per type. Thus it is
simplest to unconditionally securely erase the buffer.

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/src/rpc/virnetmessage.c b/src/rpc/virnetmessage.c
index 438c75b049bc0a6c3f72126ea5b2cc0eb429016c..c9698fb2631e2d8ca75d3154891a7e496e64d587 100644 (file)
--- a/src/rpc/virnetmessage.c
+++ b/src/rpc/virnetmessage.c
@@ -28,6 +28,7 @@
 #include "virlog.h"
 #include "virfile.h"
 #include "virutil.h"
+#include "virsecureerase.h"
 
 #define VIR_FROM_THIS VIR_FROM_RPC
 
@@ -65,6 +66,7 @@ virNetMessageClearPayload(virNetMessage *msg)
 {
     virNetMessageClearFDs(msg);
 
+    virSecureErase(msg->buffer, msg->bufferLength);
     msg->bufferOffset = 0;
     msg->bufferLength = 0;
     VIR_FREE(msg->buffer);