Clean up client receiving slice after RPC call recvs sensitive data?

[Aidan Sojourner US]

Hello,

We have the following situation on a C++ gRPC client:

* Client makes a unary RPC call to receive some sensitive data

* Client copies sensitive data from RPC reply, then encrypts / protects sensitive memory  (using Win32 CNG DPAPI).

* Client cleans up (zeroes) other references to this sensitive cleartext in memory.

We noticed when doing a memory scan that a copy of the sensitive data appears to be sitting in the call's receive slice buffer (grpc_slice) after the call has finished, and even after several other RPCs have completed.

When debugging, I can see that the data stored in the grpc_slice is refcounted: if we made an RPC with `context`, then `context->call_->receiving_slice.data.refcounted` points to the data we want to clear. Unfortunately, it's not clear to me how to properly clean this up. Is there any way to manually clear and zero the receiving slice?

Note: one possible WAR we found was to re-create the channel and create a new stub. However, this does not allow us to zero the slice, so it only works in "Debug" mode on MSVC where deleted memory is cleaned.

Any help is appreciated, thank you!

Aidan