diff options
Diffstat (limited to 'gnu/packages/patches/glibc-CVE-2016-4429.patch')
| -rw-r--r-- | gnu/packages/patches/glibc-CVE-2016-4429.patch | 58 |
1 files changed, 0 insertions, 58 deletions
diff --git a/gnu/packages/patches/glibc-CVE-2016-4429.patch b/gnu/packages/patches/glibc-CVE-2016-4429.patch deleted file mode 100644 index 5eebd10543..0000000000 --- a/gnu/packages/patches/glibc-CVE-2016-4429.patch +++ /dev/null @@ -1,58 +0,0 @@ -From bdce95930e1d9a7d013d1ba78740243491262879 Mon Sep 17 00:00:00 2001 -From: Florian Weimer <fweimer@redhat.com> -Date: Mon, 23 May 2016 20:18:34 +0200 -Subject: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ - #20112] - -The call is technically in a loop, and under certain circumstances -(which are quite difficult to reproduce in a test case), alloca -can be invoked repeatedly during a single call to clntudp_call. -As a result, the available stack space can be exhausted (even -though individual alloca sizes are bounded implicitly by what -can fit into a UDP packet, as a side effect of the earlier -successful send operation). - -(cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c) ---- - ChangeLog | 7 +++++++ - NEWS | 4 ++++ - sunrpc/clnt_udp.c | 10 +++++++++- - 3 files changed, 20 insertions(+), 1 deletion(-) - -diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c -index a6cf5f1..4d9acb1 100644 ---- a/sunrpc/clnt_udp.c -+++ b/sunrpc/clnt_udp.c -@@ -388,9 +388,15 @@ send_again: - struct sock_extended_err *e; - struct sockaddr_in err_addr; - struct iovec iov; -- char *cbuf = (char *) alloca (outlen + 256); -+ char *cbuf = malloc (outlen + 256); - int ret; - -+ if (cbuf == NULL) -+ { -+ cu->cu_error.re_errno = errno; -+ return (cu->cu_error.re_status = RPC_CANTRECV); -+ } -+ - iov.iov_base = cbuf + 256; - iov.iov_len = outlen; - msg.msg_name = (void *) &err_addr; -@@ -415,10 +421,12 @@ send_again: - cmsg = CMSG_NXTHDR (&msg, cmsg)) - if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) - { -+ free (cbuf); - e = (struct sock_extended_err *) CMSG_DATA(cmsg); - cu->cu_error.re_errno = e->ee_errno; - return (cu->cu_error.re_status = RPC_CANTRECV); - } -+ free (cbuf); - } - #endif - do --- -2.9.3 - |