From 282bc830eeaff53eaf8f072462495e28f072afec Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Wed, 29 Apr 2026 15:00:13 +0700 Subject: [PATCH] agent: document unavoidable passphrase residue in eldbus message MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The passphrase is copied into the libdbus-owned outbound message buffer and freed asynchronously by eldbus after the reply is sent — we cannot wipe it ourselves. Callers already explicit_bzero their own copies; add a comment so future readers don't mistake the missing wipe here for an oversight. --- src/iwd/iwd_agent.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/iwd/iwd_agent.c b/src/iwd/iwd_agent.c index e7cc974..df8a5b4 100644 --- a/src/iwd/iwd_agent.c +++ b/src/iwd/iwd_agent.c @@ -115,6 +115,12 @@ void iwd_agent_reply(Iwd_Agent_Request *req, const char *passphrase) { if (!req) return; + /* The passphrase is copied into the eldbus/libdbus marshalled message + * buffer here. We can't wipe that buffer ourselves — eldbus owns it and + * frees it asynchronously after the call is sent. Callers are expected + * to explicit_bzero their own copy of `passphrase` after this returns; + * the residue inside the outbound D-Bus message is unavoidable at this + * boundary. */ Eldbus_Message *r = eldbus_message_method_return_new(req->msg); eldbus_message_arguments_append(r, "s", passphrase ? passphrase : ""); eldbus_connection_send(req->agent->conn, r, NULL, NULL, -1);