Addressed Checkmarx issues

2025-12-10 05:13:38 +00:00 · 2020-09-17 12:59:15 -07:00
parent 20d4345a87
commit 8cdcfcb187
16 changed files with 77 additions and 33 deletions
--- a/meshcore/KVM/Linux/linux_kvm.c
+++ b/meshcore/KVM/Linux/linux_kvm.c
@@ -526,7 +526,7 @@ int kvm_init(int displayNo)
 	}
-	sprintf(displayString, ":%d", (int)displayNo);
+	sprintf_s(displayString, sizeof(displayString), ":%d", (int)displayNo);
 	if (count == 10) { return -1; }
 	count = 0;
@@ -549,7 +549,7 @@ int kvm_init(int displayNo)
 	while (eventdisplay == NULL && count++ < 100) 
 	{
 		if (getNextDisplay() == -1) { return -1; }
-		sprintf(displayString, ":%d", (int)current_display);
+		sprintf_s(displayString, sizeof(displayString), ":%d", (int)current_display);
 		eventdisplay = x11_exports->XOpenDisplay(displayString);
 	}
@@ -945,7 +945,7 @@ void* kvm_server_mainloop(void* parm)
 		CheckDesktopSwitch(1);
 		//fprintf(logFile, "After CheckDesktopSwitch.\n"); fflush(logFile);
-		sprintf(displayString, ":%d", (int)current_display);
+		sprintf_s(displayString, sizeof(displayString), ":%d", (int)current_display);
 		imagedisplay = x11_exports->XOpenDisplay(displayString);
 		count = 0;
--- a/meshcore/KVM/Linux/linux_tile.c
+++ b/meshcore/KVM/Linux/linux_tile.c
@@ -52,7 +52,7 @@ int get_tile_buffer(int x, int y, void **buffer, long long bufferSize, void *des
 	int height = 0;
 	for (height = y; height < y + tileheight; height++) {
-		memcpy(target, (const void *)(((char *)desktop) + (3 * ((height * adjust_screen_size(SCREEN_WIDTH)) + x))), (size_t)(tilewidth * 3));
+		memcpy_s(target, (size_t)bufferSize, (const void *)(((char *)desktop) + (3 * ((height * adjust_screen_size(SCREEN_WIDTH)) + x))), (size_t)(tilewidth * 3));
 		target = (char *) (target + (3 * tilewidth));
 	}
@@ -380,7 +380,7 @@ int getTileAt(int x, int y, void** buffer, long long *bufferSize, void *desktop,
 			((unsigned short*)*buffer)[5] = 0;														// RESERVED
 			((unsigned short*)*buffer)[6] = (unsigned short)htons((unsigned short)x);				// X position
 			((unsigned short*)*buffer)[7] = (unsigned short)htons((unsigned short)y);				// Y position
-			memcpy((char *)(*buffer) + 16, jpeg_buffer, jpeg_buffer_length);
+			memcpy_s((char *)(*buffer) + 16, *bufferSize -16, jpeg_buffer, jpeg_buffer_length);
 		}
 		else
 		{
@@ -388,7 +388,7 @@ int getTileAt(int x, int y, void** buffer, long long *bufferSize, void *desktop,
 			((unsigned short*)*buffer)[1] = (unsigned short)htons((unsigned short)*bufferSize);		// Write the size
 			((unsigned short*)*buffer)[2] = (unsigned short)htons((unsigned short)x);				// X position
 			((unsigned short*)*buffer)[3] = (unsigned short)htons((unsigned short)y);				// Y position
-			memcpy((char *)(*buffer) + 8, jpeg_buffer, jpeg_buffer_length);
+			memcpy_s((char *)(*buffer) + 8, *bufferSize -8, jpeg_buffer, jpeg_buffer_length);
 		}
 		free(jpeg_buffer);
--- a/meshcore/KVM/MacOS/mac_tile.c
+++ b/meshcore/KVM/MacOS/mac_tile.c
@@ -10,6 +10,7 @@
 #include "mac_tile.h"
 #include "../../meshinfo.h"
 #include "../../meshdefines.h"
 #include "../../../microstack/ILibParsers.h"
 extern CGDirectDisplayID SCREEN_NUM;
 extern int SCREEN_WIDTH;
@@ -47,7 +48,7 @@ int get_tile_buffer(int x, int y, void **buffer, long long bufferSize, void *des
 	int height = 0;
 	for (height = y; height < y + tileheight; height++) {
-		memcpy(target, (const void *)(((char *)desktop) + (3 * ((height * adjust_screen_size(SCREEN_WIDTH)) + x))), (size_t)(tilewidth * 3));
+		memcpy_s(target, (size_t)bufferSize - (target - (char*)*buffer), (void *)(((char *)desktop) + (3 * ((height * adjust_screen_size(SCREEN_WIDTH)) + x))), (size_t)(tilewidth * 3));
 		target = (char *) (target + (3 * tilewidth));
 	}
@@ -375,7 +376,7 @@ int getTileAt(int x, int y, void** buffer, long long *bufferSize, void *desktop,
 			((unsigned short*)*buffer)[5] = 0;														// RESERVED
 			((unsigned short*)*buffer)[6] = (unsigned short)htons((unsigned short)x);				// X position
 			((unsigned short*)*buffer)[7] = (unsigned short)htons((unsigned short)y);				// Y position
-			memcpy((char *)(*buffer) + 16, jpeg_buffer, jpeg_buffer_length);
+			memcpy_s((char *)(*buffer) + 16, (*bufferSize - 16), jpeg_buffer, jpeg_buffer_length);
 		}
 		else
 		{
@@ -383,7 +384,7 @@ int getTileAt(int x, int y, void** buffer, long long *bufferSize, void *desktop,
 			((unsigned short*)*buffer)[1] = (unsigned short)htons((unsigned short)*bufferSize);		// Write the size
 			((unsigned short*)*buffer)[2] = (unsigned short)htons((unsigned short)x);				// X position
 			((unsigned short*)*buffer)[3] = (unsigned short)htons((unsigned short)y);				// Y position
-			memcpy((char *)(*buffer) + 8, jpeg_buffer, jpeg_buffer_length);
+			memcpy_s((char *)(*buffer) + 8, (*bufferSize - 8), jpeg_buffer, jpeg_buffer_length);
 		}
 		free(jpeg_buffer);
 		jpeg_buffer = NULL;
--- a/meshcore/agentcore.c
+++ b/meshcore/agentcore.c
@@ -709,6 +709,7 @@ duk_ret_t ILibDuktape_MeshAgent_GenerateCertificate(duk_context *ctx)
 	util_free(data);
 	util_freecert(&cert);
 	SSL_TRACE2("ILibDuktape_MeshAgent_GenerateCertificate()");
 	passphrase = NULL;
 	return 1;
 #endif
 }
@@ -3334,7 +3335,7 @@ void MeshServer_ConnectEx(MeshAgentHostContainer *agent)
 	{
 		if (agent->multicastServerUrl != NULL) {
 			serverUrl = agent->multicastServerUrl;
-			serverUrlLen = (int)strlen(serverUrl);
+			serverUrlLen = (int)strnlen_s(serverUrl, sizeof(ILibScratchPad));
 		}
 		else
 		{
@@ -4716,6 +4717,7 @@ int MeshAgent_AgentMode(MeshAgentHostContainer *agentHost, int paramLen, char **
 			duk_peval_string_noresult(agentHost->meshCoreCtx, "require('win-console').hide()");
 		}
 #endif
 		ILibIPAddressMonitor_Create(agentHost->chain, MeshAgent_AgentMode_IPAddressChanged_Handler, agentHost);	
 		MeshServer_Connect(agentHost);
--- a/microscript/ILibDuktape_Commit.h
+++ b/microscript/ILibDuktape_Commit.h
@@ -1,3 +1,3 @@
-// This file is auto-generated, any edits may be overwritten 
+// This file is auto-generated, any edits may be overwritten
-#define SOURCE_COMMIT_DATE "2019-Nov-26 11:09:12-0800"  
+#define SOURCE_COMMIT_DATE "2020-Sep-17 12:49:12-0700"
-#define SOURCE_COMMIT_HASH "170536b267edea4ab1c67a6fb93c4a4a723d5470"  
+#define SOURCE_COMMIT_HASH "20d4345a87cb5a912f4d891da35bb2ba690b4588"
--- a/microscript/ILibDuktape_Helpers.c
+++ b/microscript/ILibDuktape_Helpers.c
@@ -51,6 +51,32 @@ typedef struct Duktape_EventLoopDispatchData
 	void *user;
 }Duktape_EventLoopDispatchData;
 duk_ret_t duk_fixed_buffer_finalizer(duk_context *ctx)
 {
 	duk_size_t bufLen;
 	char *buf = (char*)Duktape_GetBuffer(ctx, 0, &bufLen);
 	memset(buf, 0, bufLen);
 	return(0);
 }
 void duk_buffer_enable_autoclear(duk_context *ctx)
 {
 	duk_size_t len;
 	duk_push_buffer_object(ctx, -1, 0, len, DUK_BUFOBJ_NODEJS_BUFFER);	// [buffer][obj]
 	duk_remove(ctx, -2);												// [bufobj]
 	duk_push_c_function(ctx, duk_fixed_buffer_finalizer, DUK_VARARGS);	// [bufobj][func]
 	duk_set_finalizer(ctx, -2);											// [bufobj]
 }
 void* duk_push_fixed_buffer_autoclear(duk_context *ctx, duk_size_t size)
 {
 	void *ret = duk_push_fixed_buffer(ctx, size);						// [buffer]
 	duk_push_buffer_object(ctx, -1, 0, size, DUK_BUFOBJ_NODEJS_BUFFER);	// [buffer][obj]
 	duk_remove(ctx, -2);												// [obj]
 	duk_push_c_function(ctx, duk_fixed_buffer_finalizer, DUK_VARARGS);
 	duk_set_finalizer(ctx, -2);
 	return(ret);
 }
 void* Duktape_DynamicBuffer_Resize(duk_context *ctx, duk_idx_t idx, duk_size_t bufSize)
 {
 	void *buffer = ILibMemory_FromRaw(duk_resize_buffer(ctx, idx, bufSize + sizeof(ILibMemory_Header)));
@@ -152,7 +178,10 @@ duk_ret_t ILibDuktape_Error(duk_context *ctx, char *format, ...)
 	va_list argptr;
 	va_start(argptr, format);
-	len += vsnprintf(dest + len, sizeof(dest) - len, format, argptr);
+	if ((size_t)len < sizeof(dest))
 	{
 		len += vsnprintf(dest + len, sizeof(dest) - len, format, argptr);
 	}
 	va_end(argptr);
 	duk_push_string(ctx, dest);
@@ -651,7 +680,7 @@ duk_ret_t ILibDuktape_Process_UncaughtExceptionExGetter(duk_context *ctx)
 }
 void ILibDuktape_Process_UncaughtExceptionEx(duk_context *ctx, char *format, ...)
 {
-	if (ctx == NULL) { return; }
+	if (ctx == NULL || !duk_ctx_is_alive(ctx)) { return; }
 	char dest[4096];
 	int len = 0;
 	va_list argptr;
@@ -667,7 +696,10 @@ void ILibDuktape_Process_UncaughtExceptionEx(duk_context *ctx, char *format, ...
 	duk_pop(ctx);																		// ...
 	va_start(argptr, format);
-	len += vsnprintf(dest + len, sizeof(dest) - len, format, argptr);
+	if (len < sizeof(dest))
 	{
 		len += vsnprintf(dest + len, sizeof(dest) - len, format, argptr);
 	}
 	va_end(argptr);
 	if (errmsgLen + len < sizeof(dest))
@@ -743,7 +775,7 @@ void Duktape_SafeDestroyHeap(duk_context *ctx)
 			threadList[i++] = ILibLinkedList_GetDataFromNode(node);
 			ILibLinkedList_Remove(node);
 		}
-		while (WaitForMultipleObjectsEx(i, threadList, TRUE, 5000, TRUE) == WAIT_IO_COMPLETION);
+		while (WaitForMultipleObjectsEx(i, threadList, TRUE, 1000, TRUE) == WAIT_IO_COMPLETION);
 		ILibMemory_Free(threadList);
 #else
 		int rv;
--- a/microscript/ILibDuktape_Helpers.h
+++ b/microscript/ILibDuktape_Helpers.h
@@ -156,6 +156,7 @@ char *ILibDuktape_String_WideToUTF8(duk_context *ctx, char *wstr);
 char *ILibDuktape_String_UTF8ToWide(duk_context *ctx, char *str);
 void ILibDuktape_String_UTF8ToWideEx(duk_context *ctx, char *str);
 void duk_buffer_enable_autoclear(duk_context *ctx);
 #define Duktape_PushBuffer(ctx, bufSize) ILibMemory_Init(duk_push_fixed_buffer(ctx, (duk_size_t)(bufSize) + sizeof(ILibMemory_Header)), (bufSize), 0, ILibMemory_Types_OTHER)
 #define Duktape_PushDynamicBuffer(ctx, bufSize) ILibMemory_Init(duk_push_dynamic_buffer(ctx, (duk_size_t)(bufSize) + sizeof(ILibMemory_Header)), (bufSize), 0, ILibMemory_Types_OTHER)
 void* Duktape_DynamicBuffer_Resize(duk_context *ctx, duk_idx_t idx, duk_size_t bufSize);
--- a/microscript/ILibDuktape_HttpStream.c
+++ b/microscript/ILibDuktape_HttpStream.c
@@ -466,6 +466,7 @@ duk_ret_t ILibDuktape_HttpStream_http_onUpgrade(duk_context *ctx)
 	duk_get_prop_string(ctx, 0, "headers");						// [headers]
 	duk_get_prop_string(ctx, -1, "Sec-WebSocket-Accept");		// [headers][key]
 	key = (char*)Duktape_GetBuffer(ctx, -1, &keyLen);
 	if (keyLen > 255) { keyLen = 255; }
 	if (duk_has_prop_string(ctx, -2, "Sec-WebSocket-Extensions"))
 	{
@@ -2891,6 +2892,7 @@ duk_ret_t ILibDuktape_HttpStream_IncomingMessage_Digest_ValidatePassword(duk_con
 	retVal = (responseLen == 32 && strncmp(result3, response, 32)) == 0 ? 1 : 0;
 	duk_push_int(ctx, retVal);
 	password = NULL;
 	return(1);
 }
 duk_ret_t ILibDuktape_HttpStream_IncomingMessage_finalizer(duk_context *ctx)
@@ -3803,6 +3805,7 @@ duk_ret_t ILibDuktape_httpStream_parseUri(duk_context *ctx)
 	{
 		duk_push_null(ctx);
 	}
 	password = NULL;
 	return 1;
 }
--- a/microscript/ILibDuktape_SHA256.c
+++ b/microscript/ILibDuktape_SHA256.c
@@ -264,6 +264,7 @@ void ILibDuktape_SHA256_SIGNER_PUSH(duk_context *ctx, void *chain)
 	ILibDuktape_SHA256_Signer_Data* data;
 	duk_push_object(ctx);													// [signer]
 	data = (ILibDuktape_SHA256_Signer_Data*)Duktape_PushBuffer(ctx, sizeof(ILibDuktape_SHA256_Signer_Data));
 	duk_buffer_enable_autoclear(ctx);
 	duk_put_prop_string(ctx, -2, ILibDuktape_SHA256_SIGNER_PTR);			// [signer]
 	data->obj = duk_get_heapptr(ctx, -1);
 	data->ctx = ctx;
--- a/microscript/ILibDuktape_WebRTC.c
+++ b/microscript/ILibDuktape_WebRTC.c
@@ -74,13 +74,14 @@ duk_ret_t ILibWebRTC_Duktape_ConnectionFactory_SetTurn(duk_context *ctx)
 	struct sockaddr_in6* server;
 	ILibWrapper_WebRTC_ConnectionFactory factory;
-	if (host == NULL || username == NULL) { return(ILibDuktape_Error(ctx, "Invalid TURN parameters")); }
+	if (host == NULL || username == NULL) { password = NULL;  return(ILibDuktape_Error(ctx, "Invalid TURN parameters")); }
 	server = Duktape_IPAddress4_FromString(host, (unsigned short)port);
 	duk_push_this(ctx);
 	factory = Duktape_GetPointerProperty(ctx, -1, "FactoryPtr");
 	ILibWrapper_WebRTC_ConnectionFactory_SetTurnServer(factory, server, username, (int)usernameLen, password, (int)passwordLen, flags);
 	password = NULL;
 	return 0;
 }
--- a/microscript/ILibDuktape_net.c
+++ b/microscript/ILibDuktape_net.c
@@ -2324,6 +2324,7 @@ duk_ret_t ILibDuktape_TLS_generateCertificate(duk_context *ctx)
 	ILibDuktape_WriteID(ctx, "tls.pfxCertificate");
 	util_free(data);
 	util_freecert(&cert);
 	passphrase = NULL;
 	return 1;
 }
 duk_ret_t ILibDuktape_TLS_loadpkcs7b(duk_context *ctx)
@@ -2473,7 +2474,7 @@ void ILibDuktape_ipaddress_PUSH(duk_context *ctx, struct sockaddr_in6* addr)
 	ILibDuktape_CreateInstanceMethod(ctx, "toString", ILibDuktape_ipaddress_toString, 1);
 	struct sockaddr_in6* _addr = (struct sockaddr_in6*)Duktape_PushBuffer(ctx, sizeof(struct sockaddr_in6));// [Address4][addr]
 	duk_put_prop_string(ctx, -2, ILibDuktape_IPAddress_SockAddr);											// [Address4]
-	memcpy(_addr, addr, sizeof(struct sockaddr_in6));
+	memcpy_s(_addr, sizeof(struct sockaddr_in6), addr, sizeof(struct sockaddr_in6));
 }
 duk_ret_t ILibDuktape_ipaddress_address4_constructor(duk_context *ctx)
--- a/microscript/ILibduktape_EventEmitter.c
+++ b/microscript/ILibduktape_EventEmitter.c
@@ -435,7 +435,9 @@ ILibDuktape_EventEmitter* ILibDuktape_EventEmitter_GetEmitter_fromThis(duk_conte
 }
 ILibDuktape_EventEmitter* ILibDuktape_EventEmitter_GetEmitter(duk_context *ctx, duk_idx_t i)
 {
 	if (!duk_ctx_is_alive(ctx)) { return(NULL); }
 	ILibDuktape_EventEmitter *retVal = (ILibDuktape_EventEmitter*)Duktape_GetBufferProperty(ctx, i, ILibDuktape_EventEmitter_Data);
 	if (!duk_ctx_is_alive(retVal->object)) { retVal = NULL; }
 	return retVal;
 }
 duk_ret_t ILibDuktape_EventEmitter_removeListener(duk_context *ctx)
@@ -495,8 +497,12 @@ duk_ret_t ILibDuktape_EventEmitter_removeAllListeners(duk_context *ctx)
 duk_ret_t ILibDuktape_EventEmitter_EmbeddedFinalizer(duk_context *ctx)
 {
 	ILibDuktape_EventEmitter *data = ILibDuktape_EventEmitter_GetEmitter(ctx, 0);
 	if (!ILibMemory_CanaryOK(data) || !duk_ctx_is_alive(data->ctx)) { return(0); }
 	ILibDuktape_EventEmitter_SetupEmit(ctx, duk_get_heapptr(ctx, 0), "~");	// [emit][this][~]
 	duk_dup(ctx, 0);														// [emit][this][~][self]
 	char *meta = Duktape_GetStringPropertyValue(ctx, -1, ILibDuktape_OBJID, "UNKNOWN");
 	if (g_displayFinalizerMessages)
 	{
 		printf("+-+- Finalizer Event for: %s [%p] -+-+\n", Duktape_GetStringPropertyValue(ctx, -1, ILibDuktape_OBJID, "UNKNOWN"), duk_get_heapptr(ctx, -1));
@@ -532,17 +538,10 @@ duk_ret_t ILibDuktape_EventEmitter_EmbeddedFinalizer(duk_context *ctx)
 	}
 	if (duk_pcall_method(ctx, 2) != 0)
 	{
-		ILibDuktape_Process_UncaughtExceptionEx(ctx, "Error in Finalizer: [Invalid C function means you forgot to return 0] ");
+		ILibDuktape_Process_UncaughtExceptionEx(ctx, "Error in Finalizer (%s): [Invalid C function means you forgot to return 0] ", meta);
 	}
 	ILibDuktape_EventEmitter *data = ILibDuktape_EventEmitter_GetEmitter(ctx, 0);
 	if (data == NULL) { return(ILibDuktape_Error(ctx, "Internal Error")); }			// This is deadcode, will never occur, but is here because Klockwork thinks this could happen
 	if (!ILibMemory_CanaryOK(data) || !duk_ctx_is_alive(data->ctx)) { return(0); }
 	sem_destroy(&(data->listenerCountTableLock));
 	// We need to clear the Native Dispatcher, while destroying the Hashtable
 	memset(ILibMemory_RawPtr(data), 0, ILibMemory_RawSize(data));
 	return(0);
 }
 duk_ret_t ILibDuktape_EventEmitter_emitReturnValue(duk_context *ctx)
--- a/microstack/ILibMulticastSocket.c
+++ b/microstack/ILibMulticastSocket.c
@@ -309,7 +309,7 @@ struct ILibMulticastSocket_StateModule *ILibMulticastSocket_Create(void *Chain,
 	if (MulticastAddr != NULL)
 	{
 		// Setup the IPv4 multicast address
-		memcpy(&(module->MulticastAddr), MulticastAddr, sizeof(struct sockaddr_in));
+		memcpy_s(&(module->MulticastAddr), sizeof(struct sockaddr_in), MulticastAddr, sizeof(struct sockaddr_in));
 		if (module->MulticastAddr.sin_port == 0) module->MulticastAddr.sin_port = htons(LocalPort);
 		// Setup incoming IPv4 socket
@@ -337,7 +337,7 @@ struct ILibMulticastSocket_StateModule *ILibMulticastSocket_Create(void *Chain,
 			ILibChain_Link_SetMetadata(module->UDPServer6, "ILibMulticastSocketListener_v6");
 			// Setup the IPv6 multicast address
-			memcpy(&(module->MulticastAddr6), MulticastAddr6, sizeof(struct sockaddr_in6));
+			memcpy_s(&(module->MulticastAddr6), sizeof(struct sockaddr_in6), MulticastAddr6, sizeof(struct sockaddr_in6));
 			if (module->MulticastAddr6.sin6_port == 0) module->MulticastAddr6.sin6_port = htons(LocalPort);
 			// Set TTL, IPv6, Loop and Reuse flags assumed to already be set
@@ -385,7 +385,7 @@ void ILibMulticastSocket_WakeOnLan(void *module, char* mac)
 	// Create the magic packet
 	memset(ILibScratchPad, 0xFF, 6);
-	for (i = 1; i < 17; i++) memcpy(ILibScratchPad + (6 * i), mac, 6);
+	for (i = 1; i < 17; i++) memcpy_s(ILibScratchPad + (6 * i), sizeof(ILibScratchPad) - (6*i), mac, 6);
 	// Send it
 	for (i = 0; i < 2; i++)
--- a/microstack/ILibParsers.h
+++ b/microstack/ILibParsers.h
@@ -264,7 +264,7 @@ long ILibGetTimeStamp();
 // Polyfills
 #ifndef memcpy_s
 	int ILibMemory_Copy_s(void *destination, size_t destinationSize, void *source, size_t sourceLength);
-	#define memcpy_s(dest, destSize, source, sourceLen) ILibMemory_Copy_s(dest, destSize, source, sourceLen)
+	#define memcpy_s(dest, destSize, source, sourceLen) ILibMemory_Copy_s(dest, destSize, (void*)source, sourceLen)
 #endif
 #ifndef memmove_s
--- a/microstack/ILibWebRTC.c
+++ b/microstack/ILibWebRTC.c
@@ -1141,7 +1141,7 @@ void ILibStun_OnDestroy(void *object)
 	ILibLinkedList_Destroy(obj->StunUsers);
 	if (obj->turnUsername != NULL) { free(obj->turnUsername); obj->turnUsername = NULL; }
-	if (obj->turnPassword != NULL) { free(obj->turnPassword); obj->turnPassword = NULL; }
+	if (obj->turnPassword != NULL) { memset(obj->turnPassword, 0, obj->turnPasswordLength); free(obj->turnPassword); obj->turnPassword = NULL; }
 	ILibLifeTime_Remove(obj->Timer, ILibWebRTC_STUN_TO_PERIODIC_CHECK_TIMER(obj));
 	if (extraClean == 0) return;
@@ -3005,6 +3005,7 @@ void ILibORTC_SetRemoteParameters(void* stunModule, char *username, int username
 	ILibRemoteLogging_printf(ILibChainGetLogger(obj->ChainLink.ParentChain), ILibRemoteLogging_Modules_WebRTC_STUN_ICE, ILibRemoteLogging_Flags_VerbosityLevel_1, "ILibORTC_SetRemoteParameters -> ILibStun_SetIceOffer2");
 	ILibStun_SetIceOffer2(stunModule, offer, offerLen, localUserName, localUserNameLen, localPassword, localPasswordLen, &answer);
 	free(answer);
 	localPassword = NULL;
 }
 void ILibORTC_AddRemoteCandidate(void *stunModule, char* localUsername, struct sockaddr_in6 *candidate)
@@ -6277,7 +6278,7 @@ void ILibWebRTC_SetTurnServer(void* stunModule, struct sockaddr_in6* turnServer,
 	}
 	if (stun->turnPassword != NULL)
 	{
-		free(stun->turnPassword);
+		memset(stun->turnPassword, 0, stun->turnPasswordLength); free(stun->turnPassword);
 		stun->turnPassword = NULL;
 	}
 	if (passwordLength > 0 && password != NULL)
--- a/microstack/ILibWrapperWebRTC.c
+++ b/microstack/ILibWrapperWebRTC.c
@@ -309,6 +309,7 @@ char* ILibWrapper_SdpToBlock(char* sdp, int sdpLen, int *isActive, char **userna
 	ILibDestructParserResults(pr);
 	free(lines);
 	if(dtlshash!=NULL) {free(dtlshash);}
 	password = NULL;
 	return(retVal);
 }
@@ -417,6 +418,7 @@ int ILibWrapper_BlockToSDPEx(char* block, int blockLen, char** username, char**
 			x += sprintf_s(*sdp+x, sdpLen-x, sdpTemplateRelay, i, c, 2128609535-i, relayAddressString, relayAddressPort,  (unsigned char)candidates[0], (unsigned char)candidates[1], (unsigned char)candidates[2], (unsigned char)candidates[3]);
 		}
 	}
 	password = NULL;
 	return(x);
 }