On Thu, 10 Oct 2024 16:13:30 +0200
Serhii Iliushyk <sil-...@napatech.com> wrote:
> +
> +void hsh_nthw_delete(struct hsh_nthw *p)
> +{
> + if (p) {
> + (void)memset(p, 0, sizeof(*p));
> + free(p);
> + }
> +}
This pattern of memset before free is repeated many times in ntnic and is
problematic.
The compiler is free to remove the memset because the object p is now dead and
is
common source of CVE's.
This flagged in the PVS studio bug report
https://pvs-studio.com/en/blog/posts/cpp/1183/
In this case the info in hsh_nthw does not contain secrets and therefore
the memset should be removed.
For cases where the data structure does contain secrets, the function memset_s()
must be used.
