if the key is a secret to be cleared with explicit_bzero, then the

length of that key is also a secret, may as well clear it also

diff --git a/sbin/vnconfig/vnconfig.c b/sbin/vnconfig/vnconfig.c
index cc179e0..2af24b5 100644 (file)
--- a/sbin/vnconfig/vnconfig.c
+++ b/sbin/vnconfig/vnconfig.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: vnconfig.c,v 1.5 2019/06/28 13:32:46 deraadt Exp $    */
+/*     $OpenBSD: vnconfig.c,v 1.6 2021/09/22 20:43:16 deraadt Exp $    */
 /*
  * Copyright (c) 1993 University of Utah.
  * Copyright (c) 1990, 1993
@@ -324,6 +324,7 @@ config(char *file, char *dev, struct disklabel *dp, char *key, size_t keylen)
  out:
        if (key)
                explicit_bzero(key, keylen);
+       explicit_bzero(&vndio.vnd_keylen, sizeof vndio.vnd_keylen);
        return (rv == -1);
 }