This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]

From: Florian Weimer <fweimer at redhat dot com>
To: Andreas Schwab <schwab at suse dot de>
Cc: libc-alpha at sourceware dot org
Date: Thu, 19 May 2016 13:57:38 +0200
Subject: Re: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]
Authentication-results: sourceware.org; auth=none
References: <20160519110545 dot ED146400FD12E at oldenburg dot str dot redhat dot com> <mvmmvnm5knb dot fsf at hawking dot suse dot de>

On 05/19/2016 01:53 PM, Andreas Schwab wrote:

fweimer@redhat.com (Florian Weimer) writes:

The call is technically in a loop, and under certain circumstances
(which are quite difficult to reproduce in a test case), alloca
can be invoked repeatedly during a single call to clntudp_call.
As a result, the available stack space can be exhausted (even
though individual alloca sizes are bounded implicitly by what
can fit into a UDP packet, as a side effect of the earlier
successful send operation).


If you use a VLA you can avoid that.

It's still a maintenance hazard for libtirpc because they mighteventually support IPv6 jumbograms, which won't fit on the stack.


Florian

Follow-Ups:
- Re: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]
  - From: Florian Weimer

References:
- [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]
  - From: Florian Weimer
- Re: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]
  - From: Andreas Schwab

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]