This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]
- From: Florian Weimer <fweimer at redhat dot com>
- To: Andreas Schwab <schwab at suse dot de>
- Cc: libc-alpha at sourceware dot org
- Date: Thu, 19 May 2016 13:57:38 +0200
- Subject: Re: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]
- Authentication-results: sourceware.org; auth=none
- References: <20160519110545 dot ED146400FD12E at oldenburg dot str dot redhat dot com> <mvmmvnm5knb dot fsf at hawking dot suse dot de>
On 05/19/2016 01:53 PM, Andreas Schwab wrote:
email@example.com (Florian Weimer) writes:
The call is technically in a loop, and under certain circumstances
(which are quite difficult to reproduce in a test case), alloca
can be invoked repeatedly during a single call to clntudp_call.
As a result, the available stack space can be exhausted (even
though individual alloca sizes are bounded implicitly by what
can fit into a UDP packet, as a side effect of the earlier
successful send operation).
If you use a VLA you can avoid that.
It's still a maintenance hazard for libtirpc because they might
eventually support IPv6 jumbograms, which won't fit on the stack.