This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/20112] New: sunrpc: stack (frame) overflow in Sun RPC clntudp_call (CVE-2016-4429)
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 18 May 2016 11:58:40 +0000
- Subject: [Bug network/20112] New: sunrpc: stack (frame) overflow in Sun RPC clntudp_call (CVE-2016-4429)
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=20112
Bug ID: 20112
Summary: sunrpc: stack (frame) overflow in Sun RPC clntudp_call
(CVE-2016-4429)
Product: glibc
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: network
Assignee: fweimer at redhat dot com
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security+
clntudp_call allocates a buffer, using alloca, to store the payload of an
incoming socket error. If a malicious server floods the client with crafted
ICMP and UDP packets, this can cause the client to allocate sufficiently many
such temporary buffers to cause a stack (frame) overflow (denial of service).
The size of the allocated buffer depends on the request size. If the request
size is close to the page size or even larger, this could cause the stack
pointer to step over the guard page, leading to additional impact beyond denial
of service.
--
You are receiving this mail because:
You are on the CC list for the bug.