DragonFlyBSD Kernel Audit
← dashboard
DF-0464

bzero (not explicit_bzero) used to clear sensitive key material in heap structs: DSE risk

Summary

Plain bzero used for heap secrets: r_ss(:411), full handshake struct containing hs_e/hs_ck/hs_hash(:678), PSK(:634). Stack secrets correctly use explicit_bzero(:343,:608,:830,etc). Dead-store elimination may remove bzero if compiler proves memory never read after. Defense-in-depth inconsistency. Fix: replace bzero->explicit_bzero at :411,:634,:678.