svn commit: r190940 - in stable/6/lib/libc: . db db/btree db/hash db/mpool inet sys

Sat Apr 11 08:21:12 PDT 2009

Author: delphij
Date: Sat Apr 11 15:21:11 2009
New Revision: 190940
URL: http://svn.freebsd.org/changeset/base/190940

Log:
  MFC r190482: zero out memory before use and free.
  
  Security:       Potential Information Leak

Modified:
  stable/6/lib/libc/   (props changed)
  stable/6/lib/libc/db/README
  stable/6/lib/libc/db/btree/bt_open.c
  stable/6/lib/libc/db/btree/bt_split.c
  stable/6/lib/libc/db/hash/hash_buf.c
  stable/6/lib/libc/db/mpool/mpool.c
  stable/6/lib/libc/inet/inet_net_pton.c   (props changed)
  stable/6/lib/libc/sys/   (props changed)

Modified: stable/6/lib/libc/db/README
==============================================================================

--- stable/6/lib/libc/db/README	Sat Apr 11 15:19:26 2009	(r190939)
+++ stable/6/lib/libc/db/README	Sat Apr 11 15:21:11 2009	(r190940)
@@ -1,4 +1,5 @@
 #	@(#)README	8.27 (Berkeley) 9/1/94
+# $FreeBSD$
 
 This is version 1.85 of the Berkeley DB code.
 
@@ -31,10 +32,3 @@ mpool		The memory pool routines.
 recno		The fixed/variable length record routines.
 test		Test package.
 
-============================================
-Debugging:
-
-If you're running a memory checker (e.g. Purify) on DB, make sure that
-you recompile it with "-DPURIFY" in the CFLAGS, first.  By default,
-allocated pages are not initialized by the DB code, and they will show
-up as reads of uninitialized memory in the buffer write routines.

Modified: stable/6/lib/libc/db/btree/bt_open.c
==============================================================================
--- stable/6/lib/libc/db/btree/bt_open.c	Sat Apr 11 15:19:26 2009	(r190939)
+++ stable/6/lib/libc/db/btree/bt_open.c	Sat Apr 11 15:21:11 2009	(r190940)
@@ -163,9 +163,8 @@ __bt_open(fname, flags, mode, openinfo, 
 		goto einval;
 
 	/* Allocate and initialize DB and BTREE structures. */
-	if ((t = (BTREE *)malloc(sizeof(BTREE))) == NULL)
+	if ((t = (BTREE *)calloc(1, sizeof(BTREE))) == NULL)
 		goto err;
-	memset(t, 0, sizeof(BTREE));
 	t->bt_fd = -1;			/* Don't close unopened fd on error. */
 	t->bt_lorder = b.lorder;
 	t->bt_order = NOT;
@@ -173,9 +172,8 @@ __bt_open(fname, flags, mode, openinfo, 
 	t->bt_pfx = b.prefix;
 	t->bt_rfd = -1;
 
-	if ((t->bt_dbp = dbp = (DB *)malloc(sizeof(DB))) == NULL)
+	if ((t->bt_dbp = dbp = (DB *)calloc(1, sizeof(DB))) == NULL)
 		goto err;
-	memset(t->bt_dbp, 0, sizeof(DB));
 	if (t->bt_lorder != machine_lorder)
 		F_SET(t, B_NEEDSWAP);
 

Modified: stable/6/lib/libc/db/btree/bt_split.c
==============================================================================
--- stable/6/lib/libc/db/btree/bt_split.c	Sat Apr 11 15:19:26 2009	(r190939)
+++ stable/6/lib/libc/db/btree/bt_split.c	Sat Apr 11 15:21:11 2009	(r190940)
@@ -385,13 +385,10 @@ bt_page(t, h, lp, rp, skip, ilen)
 	}
 
 	/* Put the new left page for the split into place. */
-	if ((l = (PAGE *)malloc(t->bt_psize)) == NULL) {
+	if ((l = (PAGE *)calloc(1, t->bt_psize)) == NULL) {
 		mpool_put(t->bt_mp, r, 0);
 		return (NULL);
 	}
-#ifdef PURIFY
-	memset(l, 0xff, t->bt_psize);
-#endif
 	l->pgno = h->pgno;
 	l->nextpg = r->pgno;
 	l->prevpg = h->prevpg;

Modified: stable/6/lib/libc/db/hash/hash_buf.c
==============================================================================
--- stable/6/lib/libc/db/hash/hash_buf.c	Sat Apr 11 15:19:26 2009	(r190939)
+++ stable/6/lib/libc/db/hash/hash_buf.c	Sat Apr 11 15:21:11 2009	(r190940)
@@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$");
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 
 #ifdef DEBUG
 #include <assert.h>
@@ -178,18 +179,12 @@ newbuf(hashp, addr, prev_bp)
 	 */
 	if (hashp->nbufs || (bp->flags & BUF_PIN)) {
 		/* Allocate a new one */
-		if ((bp = (BUFHEAD *)malloc(sizeof(BUFHEAD))) == NULL)
+		if ((bp = (BUFHEAD *)calloc(1, sizeof(BUFHEAD))) == NULL)
 			return (NULL);
-#ifdef PURIFY
-		memset(bp, 0xff, sizeof(BUFHEAD));
-#endif
-		if ((bp->page = (char *)malloc(hashp->BSIZE)) == NULL) {
+		if ((bp->page = (char *)calloc(1, hashp->BSIZE)) == NULL) {
 			free(bp);
 			return (NULL);
 		}
-#ifdef PURIFY
-		memset(bp->page, 0xff, hashp->BSIZE);
-#endif
 		if (hashp->nbufs)
 			hashp->nbufs--;
 	} else {
@@ -332,8 +327,10 @@ __buf_free(hashp, do_free, to_disk)
 		}
 		/* Check if we are freeing stuff */
 		if (do_free) {
-			if (bp->page)
+			if (bp->page) {
+				(void)memset(bp->page, 0, hashp->BSIZE);
 				free(bp->page);
+			}
 			BUF_REMOVE(bp);
 			free(bp);
 			bp = LRU;

Modified: stable/6/lib/libc/db/mpool/mpool.c
==============================================================================
--- stable/6/lib/libc/db/mpool/mpool.c	Sat Apr 11 15:19:26 2009	(r190939)
+++ stable/6/lib/libc/db/mpool/mpool.c	Sat Apr 11 15:21:11 2009	(r190940)
@@ -347,14 +347,11 @@ mpool_bkt(mp)
 			return (bp);
 		}
 
-new:	if ((bp = (BKT *)malloc(sizeof(BKT) + mp->pagesize)) == NULL)
+new:	if ((bp = (BKT *)calloc(1, sizeof(BKT) + mp->pagesize)) == NULL)
 		return (NULL);
 #ifdef STATISTICS
 	++mp->pagealloc;
 #endif
-#if defined(DEBUG) || defined(PURIFY)
-	memset(bp, 0xff, sizeof(BKT) + mp->pagesize);
-#endif
 	bp->page = (char *)bp + sizeof(BKT);
 	++mp->curcache;
 	return (bp);
