kernel-netlink: Wipe buffer used to read Netlink messages

When querying SAs the keys will end up in this buffer (the allocated
messages that are returned are already wiped). The kernel also returns
XFRM_MSG_NEWSA as response to XFRM_MSG_ALLOCSPI but we can't distinguish
this here as we only see the response.

References #2388.

1 files changed, 12 insertions, 2 deletions

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
index cf85cb0a6..f3b5b1d4a 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -265,9 +265,10 @@ static bool read_and_queue(private_netlink_socket_t *this, bool block)
 {
 	struct nlmsghdr *hdr;
 	char buf[this->buflen];
-	ssize_t len;
+	ssize_t len, read_len;
+	bool wipe = FALSE;
 
-	len = read_msg(this, buf, sizeof(buf), block);
+	len = read_len = read_msg(this, buf, sizeof(buf), block);
 	if (len == -1)
 	{
 		return TRUE;
@@ -277,6 +278,11 @@ static bool read_and_queue(private_netlink_socket_t *this, bool block)
 		hdr = (struct nlmsghdr*)buf;
 		while (NLMSG_OK(hdr, len))
 		{
+			if (this->protocol == NETLINK_XFRM &&
+				hdr->nlmsg_type == XFRM_MSG_NEWSA)
+			{	/* wipe potential IPsec SA keys */
+				wipe = TRUE;
+			}
 			if (!queue(this, hdr))
 			{
 				break;
@@ -284,6 +290,10 @@ static bool read_and_queue(private_netlink_socket_t *this, bool block)
 			hdr = NLMSG_NEXT(hdr, len);
 		}
 	}
+	if (wipe)
+	{
+		memwipe(buf, read_len);
+	}
 	return FALSE;
 }