CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]

The call is technically in a loop, and under certain circumstances (which are quite difficult to reproduce in a test case), alloca can be invoked repeatedly during a single call to clntudp_call. As a result, the available stack space can be exhausted (even though individual alloca sizes are bounded implicitly by what can fit into a UDP packet, as a side effect of the earlier successful send operation). (cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c)
author: Florian Weimer <fweimer@redhat.com> 2016-05-23 20:18:34 +0200
committer: Aurelien Jarno <aurelien@aurel32.net> 2016-05-31 11:33:20 +0200
commit: 444fb8c27d9b0d1671ce1a441faf52b24305a332 (patch)
tree: 12c1364b14924df331f9c138cf2cae58065a6c79 /ChangeLog
parent: a64be6fb2f1317ce7039a4bb8638bd0c30c31e28 (diff)
download: glibc-444fb8c27d9b0d1671ce1a441faf52b24305a332.tar
glibc-444fb8c27d9b0d1671ce1a441faf52b24305a332.tar.gz
glibc-444fb8c27d9b0d1671ce1a441faf52b24305a332.tar.bz2
glibc-444fb8c27d9b0d1671ce1a441faf52b24305a332.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 62794f26b6..123274c270 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-05-23  Florian Weimer  <fweimer@redhat.com>
+
+	CVE-2016-4429
+	[BZ #20112]
+	* sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
+	payload.
+
 2016-05-02  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #19573]
author	Florian Weimer <fweimer@redhat.com>	2016-05-23 20:18:34 +0200
committer	Aurelien Jarno <aurelien@aurel32.net>	2016-05-31 11:33:20 +0200
commit	444fb8c27d9b0d1671ce1a441faf52b24305a332 (patch)
tree	12c1364b14924df331f9c138cf2cae58065a6c79 /ChangeLog
parent	a64be6fb2f1317ce7039a4bb8638bd0c30c31e28 (diff)
download	glibc-444fb8c27d9b0d1671ce1a441faf52b24305a332.tar glibc-444fb8c27d9b0d1671ce1a441faf52b24305a332.tar.gz glibc-444fb8c27d9b0d1671ce1a441faf52b24305a332.tar.bz2 glibc-444fb8c27d9b0d1671ce1a441faf52b24305a332.zip