This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch master updated. glibc-2.23-350-gbc779a1
- From: fw at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 23 May 2016 18:26:26 -0000
- Subject: GNU C Library master sources branch master updated. glibc-2.23-350-gbc779a1
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via bc779a1a5b3035133024b21e2f339fe4219fb11c (commit)
from 3375cfafa7961c6ae0e509c31c3b3cef9ad1f03d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bc779a1a5b3035133024b21e2f339fe4219fb11c
commit bc779a1a5b3035133024b21e2f339fe4219fb11c
Author: Florian Weimer <fweimer@redhat.com>
Date: Mon May 23 20:18:34 2016 +0200
CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]
The call is technically in a loop, and under certain circumstances
(which are quite difficult to reproduce in a test case), alloca
can be invoked repeatedly during a single call to clntudp_call.
As a result, the available stack space can be exhausted (even
though individual alloca sizes are bounded implicitly by what
can fit into a UDP packet, as a side effect of the earlier
successful send operation).
diff --git a/ChangeLog b/ChangeLog
index 4455c6d..ab323b2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2016-05-23 Florian Weimer <fweimer@redhat.com>
+ CVE-2016-4429
+ [BZ #20112]
+ * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
+ payload.
+
+2016-05-23 Florian Weimer <fweimer@redhat.com>
+
[BZ #20111]
* bits/sockaddr.h (_SS_SIZE): Define.
* bits/socket.h (_SS_SIZE): Remove.
diff --git a/NEWS b/NEWS
index b3fd3cc..2341697 100644
--- a/NEWS
+++ b/NEWS
@@ -48,6 +48,10 @@ Security related changes:
called with the GLOB_ALTDIRFUNC flag and encountered a long file name.
Reported by Alexander Cherepanov. (CVE-2016-1234)
+* The Sun RPC UDP client could exhaust all available stack space when
+ flooded with crafted ICMP and UDP messages. Reported by Aldy Hernandez'
+ alloca plugin for GCC. (CVE-2016-4429)
+
The following bugs are resolved with this release:
[The release manager will add the list generated by
diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c
index a6cf5f1..4d9acb1 100644
--- a/sunrpc/clnt_udp.c
+++ b/sunrpc/clnt_udp.c
@@ -388,9 +388,15 @@ send_again:
struct sock_extended_err *e;
struct sockaddr_in err_addr;
struct iovec iov;
- char *cbuf = (char *) alloca (outlen + 256);
+ char *cbuf = malloc (outlen + 256);
int ret;
+ if (cbuf == NULL)
+ {
+ cu->cu_error.re_errno = errno;
+ return (cu->cu_error.re_status = RPC_CANTRECV);
+ }
+
iov.iov_base = cbuf + 256;
iov.iov_len = outlen;
msg.msg_name = (void *) &err_addr;
@@ -415,10 +421,12 @@ send_again:
cmsg = CMSG_NXTHDR (&msg, cmsg))
if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
{
+ free (cbuf);
e = (struct sock_extended_err *) CMSG_DATA(cmsg);
cu->cu_error.re_errno = e->ee_errno;
return (cu->cu_error.re_status = RPC_CANTRECV);
}
+ free (cbuf);
}
#endif
do
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 7 +++++++
NEWS | 4 ++++
sunrpc/clnt_udp.c | 10 +++++++++-
3 files changed, 20 insertions(+), 1 deletions(-)
hooks/post-receive
--
GNU C Library master sources