This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "uClibc-ng - small C library for embedded systems". The branch, master has been updated via 9213ad631513d0e67d9d31465c9cdb3f3dde0399 (commit) from 79dc2c282b655adb8d5075d9eb2519883042ccf8 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 9213ad631513d0e67d9d31465c9cdb3f3dde0399 Author: Waldemar Brodkorb <wbx@uclibc-ng.org> Date: Fri Aug 5 21:33:44 2016 +0200 sunrpc: Do not use alloca in clntudp_call CVE-2016-4429: The call is technically in a loop, and under certain circumstances (which are quite difficult to reproduce in a test case), alloca can be invoked repeatedly during a single call to clntudp_call. As a result, the available stack space can be exhausted (even though individual alloca sizes are bounded implicitly by what can fit into a UDP packet, as a side effect of the earlier successful send operation). From GNU libc: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=bc779a1a5b30351... ----------------------------------------------------------------------- Summary of changes: libc/inet/rpc/clnt_udp.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libc/inet/rpc/clnt_udp.c b/libc/inet/rpc/clnt_udp.c index 4fc55b7..ce7e9e6 100644 --- a/libc/inet/rpc/clnt_udp.c +++ b/libc/inet/rpc/clnt_udp.c @@ -368,9 +368,15 @@ send_again: struct sock_extended_err *e; struct sockaddr_in err_addr; struct iovec iov; - char *cbuf = (char *) alloca (outlen + 256); + char *cbuf = malloc (outlen + 256); int ret; + if (cbuf == NULL) + { + cu->cu_error.re_errno = errno; + return (cu->cu_error.re_status = RPC_CANTRECV); + } + iov.iov_base = cbuf + 256; iov.iov_len = outlen; msg.msg_name = (void *) &err_addr; @@ -395,10 +401,12 @@ send_again: cmsg = CMSG_NXTHDR (&msg, cmsg)) if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) { + free (cbuf); e = (struct sock_extended_err *) CMSG_DATA(cmsg); cu->cu_error.re_errno = e->ee_errno; return (cu->cu_error.re_status = RPC_CANTRECV); } + free (cbuf); } #endif do hooks/post-receive -- uClibc-ng - small C library for embedded systems