From 1057b0befec1f1c0e9d4da5521a58496e2dc0997 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 30 Dec 2018 16:40:28 -0500
Subject: [PATCH] Address some optimized-out memset() calls

Ilja Van Sprundel reported a list of memset() calls which gcc
optimizes out.  In krb_auth_su.c, use zap() to clear the password, and
remove two memset() calls when there is no password to clear.  In
iakerb.c, remove an unnecessary memset() before setting the only two
fields of the IAKERB header structure.  In svr_principal.c, use
krb5_free_key_keyblock_contents() instead of hand-freeing key data.
In asn1_k_encode.c, remove an unnecessary memset() of the kdc_req_hack
shell before returning.
---
 src/clients/ksu/krb_auth_su.c      |  4 +---
 src/lib/gssapi/krb5/iakerb.c       |  1 -
 src/lib/kadm5/srv/svr_principal.c  | 10 ++--------
 src/lib/krb5/asn.1/asn1_k_encode.c |  1 -
 4 files changed, 3 insertions(+), 13 deletions(-)

diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c
index 7af48195cb..e39685ffff 100644
--- a/src/clients/ksu/krb_auth_su.c
+++ b/src/clients/ksu/krb_auth_su.c
@@ -183,21 +183,19 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
     if (code ) {
         com_err(prog_name, code, _("while reading password for '%s'\n"),
                 client_name);
-        memset(password, 0, sizeof(password));
         return (FALSE);
     }
 
     if ( pwsize == 0) {
         fprintf(stderr, _("No password given\n"));
         *zero_password = TRUE;
-        memset(password, 0, sizeof(password));
         return (FALSE);
     }
 
     code = krb5_get_init_creds_password(context, &creds, client, password,
                                         krb5_prompter_posix, NULL, 0, NULL,
                                         options);
-    memset(password, 0, sizeof(password));
+    zap(password, sizeof(password));
 
 
     if (code) {
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index bb1072fe4a..47c161ec91 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -262,7 +262,6 @@ iakerb_make_token(iakerb_ctx_id_t ctx,
     /*
      * Assemble the IAKERB-HEADER from the realm and cookie
      */
-    memset(&iah, 0, sizeof(iah));
     iah.target_realm = *realm;
     iah.cookie = cookie;
 
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 21c53ece15..9ab2c5a74e 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -2093,14 +2093,8 @@ static int decrypt_key_data(krb5_context context,
         ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i],
                                         NULL);
         if (ret) {
-            for (; i >= 0; i--) {
-                if (keys[i].contents) {
-                    memset (keys[i].contents, 0, keys[i].length);
-                    free( keys[i].contents );
-                }
-            }
-
-            memset(keys, 0, n_key_data*sizeof(krb5_keyblock));
+            for (; i >= 0; i--)
+                krb5_free_keyblock_contents(context, &keys[i]);
             free(keys);
             return ret;
         }
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 65c84be2f3..81a34bac9e 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -528,7 +528,6 @@ decode_kdc_req_body(const taginfo *t, const uint8_t *asn1, size_t len,
         if (ret) {
             free_kdc_req_body(b);
             free(h.server_realm.data);
-            memset(&h, 0, sizeof(h));
             return ret;
         }
         b->server->realm = h.server_realm;
-- 
2.47.2