Add a zero_bytes() function to do the equivalent of bzero in such a

way that will heopfully not be optimized away by sneaky compilers.

auth/aix_auth.c

@@ -74,7 +74,7 @@ aixauth_verify(pw, prompt, auth)
     char *prompt;
     sudo_auth *auth;
 {
-    volatile char *pass;
+    char *pass;
     char *message;
     int reenter = 1;
     int rval = AUTH_FAILURE;
@@ -83,7 +83,7 @@ aixauth_verify(pw, prompt, auth)
     if (pass) {
 	if (authenticate(pw->pw_name, (char *)pass, &reenter, &message) == 0)
 	    rval = AUTH_SUCCESS;
-	memset(pass, 0, strlen(pass));
+	zero_bytes(pass, strlen(pass));
     }
     return(rval);
 }

auth/bsdauth.c

@@ -116,7 +116,7 @@ bsdauth_verify(pw, prompt, auth)
     char *prompt;
     sudo_auth *auth;
 {
-    volatile char *pass;
+    char *pass;
     char *s;
     size_t len;
     int authok = 0;
@@ -165,7 +165,7 @@ bsdauth_verify(pw, prompt, auth)
 
     if (pass) {
 	authok = auth_userresponse(as, (char *)pass, 1);
-	memset(pass, 0, strlen(pass));
+	zero_bytes(pass, strlen(pass));
     }
 
     /* restore old signal handler */

auth/fwtk.c

@@ -114,8 +114,8 @@ fwtk_verify(pw, prompt, auth)
     char *prompt;
     sudo_auth *auth;
 {
-    volatile char *pass;		/* Password from the user */
-    volatile char buf[SUDO_PASS_MAX + 12]; /* General prupose buffer */
+    char *pass;				/* Password from the user */
+    char buf[SUDO_PASS_MAX + 12];	/* General prupose buffer */
     char resp[128];			/* Response from the server */
     int error;
     extern int nil_pw;
@@ -166,8 +166,8 @@ fwtk_verify(pw, prompt, auth)
 	warnx("%s", resp);
     error = AUTH_FAILURE;
 done:
-    memset(pass, 0, strlen(pass));
-    memset(buf, 0, strlen(buf));
+    zero_bytes(pass, strlen(pass));
+    zero_bytes(buf, strlen(buf));
     return(error);
 }
 

auth/pam.c

@@ -190,16 +190,16 @@ sudo_conv(num_msg, msg, response, appdata_ptr)
     struct pam_response **response;
     VOID *appdata_ptr;
 {
-    volatile struct pam_response *pr;
+    struct pam_response *pr;
     PAM_CONST struct pam_message *pm;
     const char *p = def_prompt;
-    volatile char *pass;
+    char *pass;
     int n, flags;
     extern int nil_pw;
 
     if ((*response = malloc(num_msg * sizeof(struct pam_response))) == NULL)
 	return(PAM_CONV_ERR);
-    (void) memset(*response, 0, num_msg * sizeof(struct pam_response));
+    zero_bytes(*response, num_msg * sizeof(struct pam_response));
 
     for (pr = *response, pm = *msg, n = num_msg; n--; pr++, pm++) {
 	flags = tgetpass_flags;
@@ -217,7 +217,7 @@ sudo_conv(num_msg, msg, response, appdata_ptr)
 		if (*pr->resp == '\0')
 		    nil_pw = 1;		/* empty password */
 		else
-		    memset(pass, 0, strlen(pass));
+		    zero_bytes(pass, strlen(pass));
 		break;
 	    case PAM_TEXT_INFO:
 		if (pm->msg)
@@ -233,13 +233,12 @@ sudo_conv(num_msg, msg, response, appdata_ptr)
 		/* Zero and free allocated memory and return an error. */
 		for (pr = *response, n = num_msg; n--; pr++) {
 		    if (pr->resp != NULL) {
-			(void) memset(pr->resp, 0, strlen(pr->resp));
+			zero_bytes(pr->resp, strlen(pr->resp));
 			free(pr->resp);
 			pr->resp = NULL;
 		    }
 		}
-		(void) memset(*response, 0,
-		    num_msg * sizeof(struct pam_response));
+		zero_bytes(*response, num_msg * sizeof(struct pam_response));
 		free(*response);
 		*response = NULL;
 		return(PAM_CONV_ERR);

auth/sudo_auth.c

@@ -117,7 +117,7 @@ verify_user(pw, prompt)
     int success = AUTH_FAILURE;
     int status;
     int flags;
-    volatile char *p;
+    char *p;
     sudo_auth *auth;
     sigaction_t sa, osa;
 
@@ -202,7 +202,7 @@ verify_user(pw, prompt)
 	}
 #ifndef AUTH_STANDALONE
 	if (p)
-	    (void) memset(p, 0, strlen(p));
+	    zero_bytes(p, strlen(p));
 #endif
 
 	/* Exit loop on nil password, but give it a chance to match first. */