diff mbox

[uclibc-ng-devel] uClibc-ng - small C library for embedded systems branch master updated. v1.0.17-1-g9213ad6

Message ID 20160805193510.A629710113@helium.openadk.org
State Not Applicable
Headers show

Commit Message

wbx Aug. 5, 2016, 7:35 p.m. UTC 
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "uClibc-ng - small C library for embedded systems".

The branch, master has been updated
       via  9213ad631513d0e67d9d31465c9cdb3f3dde0399 (commit)
      from  79dc2c282b655adb8d5075d9eb2519883042ccf8 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 9213ad631513d0e67d9d31465c9cdb3f3dde0399
Author: Waldemar Brodkorb <wbx@uclibc-ng.org>
Date:   Fri Aug 5 21:33:44 2016 +0200

    sunrpc: Do not use alloca in clntudp_call
    
    CVE-2016-4429:
    The call is technically in a loop, and under certain circumstances
    (which are quite difficult to reproduce in a test case), alloca
    can be invoked repeatedly during a single call to clntudp_call.
    As a result, the available stack space can be exhausted (even
    though individual alloca sizes are bounded implicitly by what
    can fit into a UDP packet, as a side effect of the earlier
    successful send operation).
    
    From GNU libc:
    https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=bc779a1a5b3035133024b21e2f339fe4219fb11c

-----------------------------------------------------------------------

Summary of changes:
 libc/inet/rpc/clnt_udp.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)



hooks/post-receive
diff mbox

Patch

diff --git a/libc/inet/rpc/clnt_udp.c b/libc/inet/rpc/clnt_udp.c
index 4fc55b7..ce7e9e6 100644
--- a/libc/inet/rpc/clnt_udp.c
+++ b/libc/inet/rpc/clnt_udp.c
@@ -368,9 +368,15 @@  send_again:
 	  struct sock_extended_err *e;
 	  struct sockaddr_in err_addr;
 	  struct iovec iov;
-	  char *cbuf = (char *) alloca (outlen + 256);
+	  char *cbuf = malloc (outlen + 256);
 	  int ret;
 
+	  if (cbuf == NULL)
+	    {
+	      cu->cu_error.re_errno = errno;
+	      return (cu->cu_error.re_status = RPC_CANTRECV);
+	    }
+
 	  iov.iov_base = cbuf + 256;
 	  iov.iov_len = outlen;
 	  msg.msg_name = (void *) &err_addr;
@@ -395,10 +401,12 @@  send_again:
 		 cmsg = CMSG_NXTHDR (&msg, cmsg))
 	      if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
 		{
+		  free (cbuf);
 		  e = (struct sock_extended_err *) CMSG_DATA(cmsg);
 		  cu->cu_error.re_errno = e->ee_errno;
 		  return (cu->cu_error.re_status = RPC_CANTRECV);
 		}
+	  free (cbuf);
 	}
 #endif
       do