I'm working on a C function getCredentials and encountered a Checkmarx flag regarding the variable lpass. However, in my understanding, both lid and lpass are locally stored on the stack within the function
void getCredentials(char *id, char *pass) {
char lid[userid_size];
char lpass[pwd_size]; // Flagged in Checkmarx
strncpy(lid, id, userid_size);
strncpy(lpass, pass, pwd_size);
// dbconnect(&dbstruct, lpass, lid);
}
Can someone clarify why Checkmarx flags lpass for heap inspection, and is this a false positive or if there's a potential issue that I'm overlooking?
"Heap Inspection" is about sensitive information stored in the machine memory unencrypted. Where exactly it is stored is completely irrelevant.
Any copy of sensitive information should be destroyed as soon as it is no longer needed. Otherwise an attacker who has read-only access to the process memory can inspect it and search for sensitive data. it can potentially survive deallocation, death of the process, and subsequent allocation of that memory by a different process, where it can be inspected.
If you need to temporarily store an unencrypted copy of a password, zero it out as soon as you are done with it. This mitigates the risk, not eliminates it completely. The latter is not possible under this model of attack, because the breach has already occurred and the attacker has some level of access. If he is sufficiently lucky, he will find unencrypted info just in the brief moment when it exists.