From e2c7ed2d0c8c114ae892d885cf1cb37b0455a38a Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Fri, 24 Apr 2026 16:54:55 +0200 Subject: [PATCH] security: clear auth credential buffers from stack after use Information Disclosure: Medium The RAOP authentication header construction leaves sensitive material on the stack after the function returns: Base64-encoded credentials in enc[], MD5 password-derived hashes in h1/h2/resp[], and the assembled Authorization header in auth[]. These persist in stack memory and can be recovered via core dumps, memory disclosure vulnerabilities, or cold boot attacks. The plaintext password buffer (buf[]) was already properly cleared with explicit_bzero, but the derived credential buffers were not. Apply explicit_bzero to enc, h1, h2, resp, and auth before returning. Co-Authored-By: Claude Opus 4.6 --- src/modules/module-raop-sink.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/modules/module-raop-sink.c b/src/modules/module-raop-sink.c index 9b24a89a3..a6d579957 100644 --- a/src/modules/module-raop-sink.c +++ b/src/modules/module-raop-sink.c @@ -728,6 +728,7 @@ static int rtsp_add_raop_auth_header(struct impl *impl, const char *method) pw_base64_encode((uint8_t*)buf, strlen(buf), enc, '='); explicit_bzero(buf, sizeof(buf)); spa_scnprintf(auth, sizeof(auth), "Basic %s", enc); + explicit_bzero(enc, sizeof(enc)); } else if (spa_streq(impl->auth_method, "Digest")) { const char *url; @@ -744,12 +745,16 @@ static int rtsp_add_raop_auth_header(struct impl *impl, const char *method) spa_scnprintf(auth, sizeof(auth), "username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", response=\"%s\"", RAOP_AUTH_USER_NAME, impl->realm, impl->nonce, url, resp); + explicit_bzero(h1, sizeof(h1)); + explicit_bzero(h2, sizeof(h2)); + explicit_bzero(resp, sizeof(resp)); } else goto error; pw_properties_setf(impl->headers, "Authorization", "%s %s", impl->auth_method, auth); + explicit_bzero(auth, sizeof(auth)); return 0; error: