In D25443#561680, @delphij wrote:

I'm not 100% comfortable with the removal of these = NULL's but it appears that the code didn't cared about their value being non-zero, so the change as-is seemed Okay.

I'd probably change key_cleansav() to perform a bzero on the whole 'sav' structure and remove all sav->* = NULL, but that's only a personal preference.

I'd be fine doing a single zero of the sav. I'd much rather do that centralized than the current approach of partial clearing scattered about. I do think that in all these cases we are doing a zero just before freeing, and that none of these pointers being cleared currently are sensitive in the sense of requiring explicit_bzero().

In D25443#562009, @jhb wrote:

In D25443#561680, @delphij wrote:

I'm not 100% comfortable with the removal of these = NULL's but it appears that the code didn't cared about their value being non-zero, so the change as-is seemed Okay.

I'd probably change key_cleansav() to perform a bzero on the whole 'sav' structure and remove all sav->* = NULL, but that's only a personal preference.

I'd be fine doing a single zero of the sav. I'd much rather do that centralized than the current approach of partial clearing scattered about. I do think that in all these cases we are doing a zero just before freeing, and that none of these pointers being cleared currently are sensitive in the sense of requiring explicit_bzero().

Hmm, this is not quite trivial. Some fields like sav->lock and sav->lftc_c probably need to not be zeroed in key_cleansav. Some of that I can fix by moving key_cleansav down in key_delsav just before the free and in that case we could even use zfree. This would potentially permit removing many of the NULL assignments from key_cleansav. However, key_cleansav is also called for the error case for key_setsaval. Hmm, looking at that more though, if that errors the key always gets freed, and in one of those cases we effectively duplicate key_freeval. Maybe I can clean this up.

In D25443#562018, @jhb wrote:

In D25443#562009, @jhb wrote:

In D25443#561680, @delphij wrote:

I'm not 100% comfortable with the removal of these = NULL's but it appears that the code didn't cared about their value being non-zero, so the change as-is seemed Okay.

I'd probably change key_cleansav() to perform a bzero on the whole 'sav' structure and remove all sav->* = NULL, but that's only a personal preference.

I'd be fine doing a single zero of the sav. I'd much rather do that centralized than the current approach of partial clearing scattered about. I do think that in all these cases we are doing a zero just before freeing, and that none of these pointers being cleared currently are sensitive in the sense of requiring explicit_bzero().

Hmm, this is not quite trivial. Some fields like sav->lock and sav->lftc_c probably need to not be zeroed in key_cleansav. Some of that I can fix by moving key_cleansav down in key_delsav just before the free and in that case we could even use zfree. This would potentially permit removing many of the NULL assignments from key_cleansav. However, key_cleansav is also called for the error case for key_setsaval. Hmm, looking at that more though, if that errors the key always gets freed, and in one of those cases we effectively duplicate key_freeval. Maybe I can clean this up.

Hmmm, I guess for key_setsaval from key_update it is possible the ref count is greater than 0. I can put some of the NULL pointers back I suppose.