use safe_memset() instead of the plain memset() which can be optimized out.

src/common.h

@@ -52,5 +52,20 @@ int recv_socket_msg(int fd, uint8_t cmd,
 
 const char* cmd_request_to_str(unsigned cmd);
 
+inline static
+void safe_memset(void *data, int c, size_t size)
+{
+	volatile unsigned volatile_zero = 0;
+	volatile char *vdata = (volatile char*)data;
+
+	/* This is based on a nice trick for safe memset,
+	 * sent by David Jacobson in the openssl-dev mailing list.
+	 */
+
+	do {
+		memset(data, c, size);
+	} while(vdata[volatile_zero] != c);
+}
+
 #endif
 

src/main.c

@@ -566,7 +566,7 @@ void clear_lists(main_server_st *s)
 		if (ctmp->auth_ctx != NULL)
 			proc_auth_deinit(s, ctmp);
 		list_del(&ctmp->list);
-		memset(ctmp, 0, sizeof(*ctmp));
+		safe_memset(ctmp, 0, sizeof(*ctmp));
 		free(ctmp);
 		s->proc_list.total--;
 	}
@@ -584,7 +584,7 @@ void clear_lists(main_server_st *s)
 	tls_cache_deinit(s->tls_db);
 	ip_lease_deinit(&s->ip_leases);
 	ctl_handler_deinit(s);
-	memset(s->cookie_key, 0, sizeof(s->cookie_key));
+	safe_memset(s->cookie_key, 0, sizeof(s->cookie_key));
 }
 
 static void kill_children(main_server_st* s)

src/tlslib.c

@@ -203,7 +203,7 @@ struct htable_iter iter;
 	cache = htable_first(&db->ht, &iter);
 	while(cache != NULL) {
 		if (cache->session_data_size > 0) {
-	          	memset(cache->session_data, 0, cache->session_data_size);
+	          	safe_memset(cache->session_data, 0, cache->session_data_size);
 	          	cache->session_data_size = 0;
 	          	cache->session_id_size = 0;
 		}