* setpwd.cc (client_request_setpwd::serve): Use RtlSecureZeroMemory to

	delete password from memory.

2 files changed, 7 insertions, 2 deletions

diff --git a/winsup/cygserver/ChangeLog b/winsup/cygserver/ChangeLog
index 5a4975746..02593fdbb 100644
--- a/winsup/cygserver/ChangeLog
+++ b/winsup/cygserver/ChangeLog
@@ -1,3 +1,8 @@
+2014-03-06  Corinna Vinschen  <corinna@vinschen.de>
+
+	* setpwd.cc (client_request_setpwd::serve): Use RtlSecureZeroMemory to
+	delete password from memory.
+
 2013-11-06  Christopher Faylor  <me.cygwin2013@cgf.cx>
 
 	* configure.ac: Detect windows headers/libs after we've figured out the
diff --git a/winsup/cygserver/setpwd.cc b/winsup/cygserver/setpwd.cc
index 8125fd25a..4f996d3b5 100644
--- a/winsup/cygserver/setpwd.cc
+++ b/winsup/cygserver/setpwd.cc
@@ -1,6 +1,6 @@
 /* setpwd.cc: Set LSA private data password for current user.
 
-   Copyright 2008 Red Hat, Inc.
+   Copyright 2008, 2014 Red Hat, Inc.
 
 This file is part of Cygwin.
 
@@ -91,7 +91,7 @@ client_request_setpwd::serve (transport_layer_base *const conn,
   RtlInitUnicodeString (&data, _parameters.in.passwd);
   status = LsaStorePrivateData (lsa, &key, data.Length ? &data : NULL);
   if (data.Length)
-    memset (data.Buffer, 0, data.Length);
+    RtlSecureZeroMemory (data.Buffer, data.Length);
   /* Success or we're trying to remove a password entry which doesn't exist. */
   if (NT_SUCCESS (status)
       || (data.Length == 0 && status == STATUS_OBJECT_NAME_NOT_FOUND))