* [COMMITTED 2.19] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]
@ 2016-01-01 0:00 Aurelien Jarno
0 siblings, 0 replies; only message in thread
From: Aurelien Jarno @ 2016-01-01 0:00 UTC (permalink / raw)
To: libc-stable; +Cc: Florian Weimer
From: Florian Weimer <fweimer@redhat.com>
The call is technically in a loop, and under certain circumstances
(which are quite difficult to reproduce in a test case), alloca
can be invoked repeatedly during a single call to clntudp_call.
As a result, the available stack space can be exhausted (even
though individual alloca sizes are bounded implicitly by what
can fit into a UDP packet, as a side effect of the earlier
successful send operation).
(cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c)
---
ChangeLog | 7 +++++++
NEWS | 6 +++++-
sunrpc/clnt_udp.c | 10 +++++++++-
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index f9a9e33..fb2d7ff 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-05-23 Florian Weimer <fweimer@redhat.com>
+
+ CVE-2016-4429
+ [BZ #20112]
+ * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
+ payload.
+
2016-03-25 Florian Weimer <fweimer@redhat.com>
[BZ #19791]
diff --git a/NEWS b/NEWS
index d14f9ed..937c618 100644
--- a/NEWS
+++ b/NEWS
@@ -13,7 +13,7 @@ Version 2.19.1
16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069,
17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 17905, 18007,
18032, 18080, 18240, 18287, 18508, 18665, 18905, 19779, 19791, 19879,
- 20010.
+ 20010, 20112.
* A buffer overflow in gethostbyname_r and related functions performing DNS
requests has been fixed. If the NSS functions were called with a
@@ -92,6 +92,10 @@ Version 2.19.1
the overflow. Thanks to the Google Security Team and Red Hat for
reporting the security impact of this issue, and Robert Holiday of
Ciena for reporting the related bug 18665. (CVE-2015-7547)
+
+* The Sun RPC UDP client could exhaust all available stack space when
+ flooded with crafted ICMP and UDP messages. Reported by Aldy Hernandez'
+ alloca plugin for GCC. (CVE-2016-4429)
\f
Version 2.19
diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c
index 1b6a20b..81d5637 100644
--- a/sunrpc/clnt_udp.c
+++ b/sunrpc/clnt_udp.c
@@ -420,9 +420,15 @@ send_again:
struct sock_extended_err *e;
struct sockaddr_in err_addr;
struct iovec iov;
- char *cbuf = (char *) alloca (outlen + 256);
+ char *cbuf = malloc (outlen + 256);
int ret;
+ if (cbuf == NULL)
+ {
+ cu->cu_error.re_errno = errno;
+ return (cu->cu_error.re_status = RPC_CANTRECV);
+ }
+
iov.iov_base = cbuf + 256;
iov.iov_len = outlen;
msg.msg_name = (void *) &err_addr;
@@ -447,10 +453,12 @@ send_again:
cmsg = CMSG_NXTHDR (&msg, cmsg))
if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
{
+ free (cbuf);
e = (struct sock_extended_err *) CMSG_DATA(cmsg);
cu->cu_error.re_errno = e->ee_errno;
return (cu->cu_error.re_status = RPC_CANTRECV);
}
+ free (cbuf);
}
#endif
do
--
2.8.1
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-05-31 15:41 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-01 0:00 [COMMITTED 2.19] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112] Aurelien Jarno
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).