CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]

The call is technically in a loop, and under certain circumstances (which are quite difficult to reproduce in a test case), alloca can be invoked repeatedly during a single call to clntudp_call. As a result, the available stack space can be exhausted (even though individual alloca sizes are bounded implicitly by what can fit into a UDP packet, as a side effect of the earlier successful send operation). (cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c)
author: Florian Weimer <fweimer@redhat.com> 2016-05-23 20:18:34 +0200
committer: Aurelien Jarno <aurelien@aurel32.net> 2016-05-31 12:48:41 +0200
commit: ce92632d1297d032e5781cfa077e300f5c167471 (patch)
tree: 8728b7f36dc3408bcd83182cd1fd1735c1014e37 /ChangeLog
parent: 10d268070a8aa9a878668e7f060e92ed668de146 (diff)
download: glibc-ce92632d1297d032e5781cfa077e300f5c167471.zip
glibc-ce92632d1297d032e5781cfa077e300f5c167471.tar.gz
glibc-ce92632d1297d032e5781cfa077e300f5c167471.tar.bz2
1 files changed, 7 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index f9a9e33..fb2d7ff 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-05-23  Florian Weimer  <fweimer@redhat.com>
+
+	CVE-2016-4429
+	[BZ #20112]
+	* sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
+	payload.
+
 2016-03-25  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #19791]
author	Florian Weimer <fweimer@redhat.com>	2016-05-23 20:18:34 +0200
committer	Aurelien Jarno <aurelien@aurel32.net>	2016-05-31 12:48:41 +0200
commit	ce92632d1297d032e5781cfa077e300f5c167471 (patch)
tree	8728b7f36dc3408bcd83182cd1fd1735c1014e37 /ChangeLog
parent	10d268070a8aa9a878668e7f060e92ed668de146 (diff)
download	glibc-ce92632d1297d032e5781cfa077e300f5c167471.zip glibc-ce92632d1297d032e5781cfa077e300f5c167471.tar.gz glibc-ce92632d1297d032e5781cfa077e300f5c167471.tar.bz2