This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug network/20112] sunrpc: stack (frame) overflow in Sun RPC clntudp_call (CVE-2016-4429)

From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Mon, 27 Feb 2017 18:41:43 +0000
Subject: [Bug network/20112] sunrpc: stack (frame) overflow in Sun RPC clntudp_call (CVE-2016-4429)
Auto-submitted: auto-generated
References: <bug-20112-131@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=20112

--- Comment #11 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  d42eed4a044e5e10dfb885cf9891c2518a72a491 (commit)
      from  963394a22b38c4ec92b6875a6c06d3b15d5c0d21 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d42eed4a044e5e10dfb885cf9891c2518a72a491

commit d42eed4a044e5e10dfb885cf9891c2518a72a491
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon Feb 27 19:05:13 2017 +0100

    sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115]

    After commit bc779a1a5b3035133024b21e2f339fe4219fb11c
    (CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call
    [BZ #20112]), ancillary data is stored on the heap,
    but it is accessed after it has been freed.

    The test case must be run under a heap debugger such as valgrind
    to observe the invalid access.  A malloc implementation which
    immediately calls munmap on free would catch this bug as well.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog              |    8 ++++++
 sunrpc/Makefile        |    3 +-
 sunrpc/clnt_udp.c      |    2 +-
 sunrpc/tst-udp-error.c |   62 ++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 73 insertions(+), 2 deletions(-)
 create mode 100644 sunrpc/tst-udp-error.c

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]