This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

GNU C Library master sources branch release/2.22/master updated. glibc-2.22-71-g444fb8c


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.22/master has been updated
       via  444fb8c27d9b0d1671ce1a441faf52b24305a332 (commit)
      from  a64be6fb2f1317ce7039a4bb8638bd0c30c31e28 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=444fb8c27d9b0d1671ce1a441faf52b24305a332

commit 444fb8c27d9b0d1671ce1a441faf52b24305a332
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon May 23 20:18:34 2016 +0200

    CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]
    
    The call is technically in a loop, and under certain circumstances
    (which are quite difficult to reproduce in a test case), alloca
    can be invoked repeatedly during a single call to clntudp_call.
    As a result, the available stack space can be exhausted (even
    though individual alloca sizes are bounded implicitly by what
    can fit into a UDP packet, as a side effect of the earlier
    successful send operation).
    
    (cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c)

diff --git a/ChangeLog b/ChangeLog
index 62794f2..123274c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-05-23  Florian Weimer  <fweimer@redhat.com>
+
+	CVE-2016-4429
+	[BZ #20112]
+	* sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
+	payload.
+
 2016-05-02  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #19573]
diff --git a/NEWS b/NEWS
index 94b731f..b0b981b 100644
--- a/NEWS
+++ b/NEWS
@@ -26,7 +26,7 @@ Version 2.22.1
   17905, 18420, 18421, 18480, 18589, 18743, 18778, 18781, 18787, 18796,
   18870, 18887, 18921, 18928, 18969, 18985, 19003, 19018, 19048, 19058,
   19174, 19178, 19182, 19243, 19573, 19590, 19682, 19791, 19822, 19853,
-  19879, 19779, 20010.
+  19879, 19779, 20010, 20112.
 
 * The getnetbyname implementation in nss_dns had a potentially unbounded
   alloca call (in the form of a call to strdupa), leading to a stack
@@ -53,6 +53,10 @@ Version 2.22.1
   even after the fix for CVE-2013-4458 has been applied, potentially
   resulting in a stack overflow.  getaddrinfo now uses a heap allocation
   instead.  Reported by Michael Petlan.  (CVE-2016-3706)
+
+* The Sun RPC UDP client could exhaust all available stack space when
+  flooded with crafted ICMP and UDP messages.  Reported by Aldy Hernandez'
+  alloca plugin for GCC.  (CVE-2016-4429)
 
 Version 2.22
 
diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c
index 6ffa5f2..c818caf 100644
--- a/sunrpc/clnt_udp.c
+++ b/sunrpc/clnt_udp.c
@@ -420,9 +420,15 @@ send_again:
 	  struct sock_extended_err *e;
 	  struct sockaddr_in err_addr;
 	  struct iovec iov;
-	  char *cbuf = (char *) alloca (outlen + 256);
+	  char *cbuf = malloc (outlen + 256);
 	  int ret;
 
+	  if (cbuf == NULL)
+	    {
+	      cu->cu_error.re_errno = errno;
+	      return (cu->cu_error.re_status = RPC_CANTRECV);
+	    }
+
 	  iov.iov_base = cbuf + 256;
 	  iov.iov_len = outlen;
 	  msg.msg_name = (void *) &err_addr;
@@ -447,10 +453,12 @@ send_again:
 		 cmsg = CMSG_NXTHDR (&msg, cmsg))
 	      if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
 		{
+		  free (cbuf);
 		  e = (struct sock_extended_err *) CMSG_DATA(cmsg);
 		  cu->cu_error.re_errno = e->ee_errno;
 		  return (cu->cu_error.re_status = RPC_CANTRECV);
 		}
+	  free (cbuf);
 	}
 #endif
       do

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog         |    7 +++++++
 NEWS              |    6 +++++-
 sunrpc/clnt_udp.c |   10 +++++++++-
 3 files changed, 21 insertions(+), 2 deletions(-)


hooks/post-receive
-- 
GNU C Library master sources


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]