(ITS#8474) Securely Erase BerElement Buffer After Use

[alcronin@cisco.com]

Full_Name: Alan Cronin
Version: 2.4.44
OS: Windows 8.1
URL: https://dl.dropboxusercontent.com/u/82343475/SecurelyEraseBuffer.diff
Submission from: (NULL) (2001:420:4041:2003:f942:59a5:545f:b334)


The following patch is a modification to the OpenLDAP BerElement buffer. The
buffer can be used to contain the LDAP request including the password for
authentication. While this is free'd when it is no longer needed, the contents
of the buffer is not overwritten from memory. This can lead to someone reading
the memory of the process and determining what the password is. The change
included in this patch will iterate over the memory and clear it. This will
remove any trace of the password by the time execution is handed back to the
caller.

The attached patch file is derived from OpenLDAP Software. All of the
modifications to OpenLDAP Software represented in the following patch(es) were
developed by Alan Cronin alcronin@cisco.com. I have not assigned rights and/or
interest in this work to any party. 
The attached file is derived from OpenLDAP Software. All of the modifications to
OpenLDAP Software represented in the following patch(es) were developed by Cisco
Systems, Inc.. Cisco Systems, Inc. has not assigned rights and/or interest in
this work to any party. I, Alan Cronin am authorized by Cisco Systems, Inc., my
employer, to release this work under the following terms. 
Cisco Systems, Inc. hereby place the following modifications to OpenLDAP
Software (and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.