On Fri, Apr 25, 2008 at 11:36:40AM +0400, Alexander Bokovoy wrote:

> Here we have non-equal behavior. Previously, the mountpassword content
> was zeroed before freeing it due to security reasons. As


Ah. Looking more carefully I am right and you are wrong. There is no
security benefit in zeroing out the password here. It's before a free,
so just free it.

> mount_cifs_usage() could be called multiple times (its call is in the
> getopt_long()'s loop) and, particulary, after password has been filled
> in, mountpassword's memory could still keep the password. Thus, memset()
> is still needed.


So what if the discarded memory holds the password ? No one but root
has access to the memory space and root has access to the password
anyway.

This is "voodoo" security - has no benefit.

Jeremy.