Zeroize SFTP file payload buffers before freeing

yosuke-wolfssl · yosuke-wolfssl · commit 5a3a6a304b76 · 2026-06-23T14:46:00.000+09:00
diff --git a/src/wolfsftp.c b/src/wolfsftp.c
@@ -793,12 +793,13 @@ static int wolfSSH_SFTP_buffer_read(WOLFSSH* ssh, WS_SFTP_BUFFER* buffer,
 static void wolfSSH_SFTP_buffer_free(WOLFSSH* ssh, WS_SFTP_BUFFER* buffer)
 {
     if (ssh != NULL && buffer != NULL) {
-        buffer->idx = 0;
-        buffer->sz  = 0;
         if (buffer->data != NULL) {
+            ForceZero(buffer->data, buffer->sz);
             WFREE(buffer->data, ssh->ctx->heap, DYNTYPE_BUFFER);
             buffer->data = NULL;
         }
+        buffer->idx = 0;
+        buffer->sz  = 0;
     }
 }
 
@@ -1424,6 +1425,7 @@ static void wolfSSH_SFTP_RecvSetSend(WOLFSSH* ssh, byte* buf, int sz)
 
     /* free up existing data if needed */
     if (buf != state->buffer.data && state->buffer.data != NULL) {
+        ForceZero(state->buffer.data, state->buffer.sz);
         WFREE(state->buffer.data, ssh->ctx->heap, DYNTYPE_BUFFER);
         state->buffer.data = NULL;
     }

Original file line number	Diff line number	Diff line change
`@@ -793,12 +793,13 @@ static int wolfSSH_SFTP_buffer_read(WOLFSSH* ssh, WS_SFTP_BUFFER* buffer,`
`793`	`793`	`static void wolfSSH_SFTP_buffer_free(WOLFSSH* ssh, WS_SFTP_BUFFER* buffer)`
`794`	`794`	`{`
`795`	`795`	`if (ssh != NULL && buffer != NULL) {`
`796`		`- buffer->idx = 0;`
`797`		`- buffer->sz = 0;`
`798`	`796`	`if (buffer->data != NULL) {`
	`797`	`+ ForceZero(buffer->data, buffer->sz);`
`799`	`798`	`WFREE(buffer->data, ssh->ctx->heap, DYNTYPE_BUFFER);`
`800`	`799`	`buffer->data = NULL;`
`801`	`800`	`}`
	`801`	`+ buffer->idx = 0;`
	`802`	`+ buffer->sz = 0;`
`802`	`803`	`}`
`803`	`804`	`}`
`804`	`805`
`@@ -1424,6 +1425,7 @@ static void wolfSSH_SFTP_RecvSetSend(WOLFSSH* ssh, byte* buf, int sz)`
`1424`	`1425`
`1425`	`1426`	`/* free up existing data if needed */`
`1426`	`1427`	`if (buf != state->buffer.data && state->buffer.data != NULL) {`
	`1428`	`+ ForceZero(state->buffer.data, state->buffer.sz);`
`1427`	`1429`	`WFREE(state->buffer.data, ssh->ctx->heap, DYNTYPE_BUFFER);`
`1428`	`1430`	`state->buffer.data = NULL;`
`1429`	`1431`	`}`