Apply FreeBSD-SA-09:07.libc - fix information leak in db(3)
authorMatthew Dillon <dillon@apollo.backplane.com>
Wed, 22 Apr 2009 23:09:06 +0000 (16:09 -0700)
committerMatthew Dillon <dillon@apollo.backplane.com>
Wed, 22 Apr 2009 23:09:06 +0000 (16:09 -0700)
Obtained-from: FreeBSD

lib/libc/db/btree/bt_split.c
lib/libc/db/hash/hash_buf.c
lib/libc/db/mpool/mpool.c

index 72cf757..809c20b 100644 (file)
@@ -372,7 +372,7 @@ bt_page(BTREE *t, PAGE *h, PAGE **lp, PAGE **rp, indx_t *skip, size_t ilen)
        }
 
        /* Put the new left page for the split into place. */
-       if ((l = (PAGE *)malloc(t->bt_psize)) == NULL) {
+       if ((l = (PAGE *)calloc(1, t->bt_psize)) == NULL) {
                mpool_put(t->bt_mp, r, 0);
                return (NULL);
        }
index e3ce22b..031195f 100644 (file)
@@ -56,6 +56,7 @@
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 
 #ifdef DEBUG
 #include <assert.h>
@@ -171,12 +172,12 @@ newbuf(HTAB *hashp, u_int32_t addr, BUFHEAD *prev_bp)
         */
        if (hashp->nbufs || (bp->flags & BUF_PIN)) {
                /* Allocate a new one */
-               if ((bp = (BUFHEAD *)malloc(sizeof(BUFHEAD))) == NULL)
+               if ((bp = (BUFHEAD *)calloc(1, sizeof(BUFHEAD))) == NULL)
                        return (NULL);
 #ifdef PURIFY
                memset(bp, 0xff, sizeof(BUFHEAD));
 #endif
-               if ((bp->page = (char *)malloc(hashp->BSIZE)) == NULL) {
+               if ((bp->page = (char *)calloc(1, hashp->BSIZE)) == NULL) {
                        free(bp);
                        return (NULL);
                }
@@ -321,8 +322,10 @@ __buf_free(HTAB *hashp, int do_free, int to_disk)
                }
                /* Check if we are freeing stuff */
                if (do_free) {
-                       if (bp->page)
+                       if (bp->page) {
+                               memset(bp->page, 0, hashp->BSIZE);
                                free(bp->page);
+                       }
                        BUF_REMOVE(bp);
                        free(bp);
                        bp = LRU;
index c471066..4de6b81 100644 (file)
@@ -325,7 +325,7 @@ mpool_bkt(MPOOL *mp)
                        return (bp);
                }
 
-new:   if ((bp = (BKT *)malloc(sizeof(BKT) + mp->pagesize)) == NULL)
+new:   if ((bp = (BKT *)calloc(1, sizeof(BKT) + mp->pagesize)) == NULL)
                return (NULL);
 #ifdef STATISTICS
        ++mp->pagealloc;