On 13 January 2015 at 11:35, Stefan Roese <s...@denx.de> wrote: > Hi Wolfgang, > > On 12.01.2015 22:10, Wolfgang Denk wrote: >>>> >>>> Should we add a memset(buf, 0, sizeof(buf)) before the memcpy() to >>>> prevent information from earlier activities to leak? >>> >>> >>> "buf" points to the new data to be written into the flash. We're >>> overwriting the first "len" bytes of "cmp_buf" with this data. >> >> >> Oh, sorry for the mixup. Then cmp_buf should be cleared (or at elast >> the remaining, unused part). > > > No. cmp_buf contains the original data from the flash. And only the > beginning of this buffer is overwritten with the new data from "buf". So, > the result of the memcpy() is that "cmp_buf" contains the data that should > be written into the flash. Its a combination of the "original data" and the > "new data". > >>> I don't see why we should erase anything there. Perhaps I'm missing >>> something though. >> >> >> You are leaking data. This could contain "interesting" information; >> see the OpenSSL “Heartbleed” vulnerability for a (nasty) example what >> information leakage can do. > > > There is nothing leaking here. When anything would be zeroed out, the > resulting buffer would not be the one that should be used.
I think this thread link got stopped any further update on this. thanks! -- Jagan. _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
