clnt_dg_call: Change the memory allocation

Signed-off-by: Steve Dickson <steved@redhat.com>

libtirpc-1.0.3-alloca.patch

@@ -0,0 +1,51 @@
+commit 7a42aa8af6779286aabb11a666f25f37ece98eb8
+Author: Steve Dickson <steved@redhat.com>
+Date:   Tue Mar 6 13:05:17 2018 -0500
+
+    clnt_dg_call: Change the memory allocation
+    
+    Commit 2936f109590e add free()s on memory that
+    was allocated from the stack (via alloca()).
+    That type memory is automatically freed so
+    those added free()s was causing a double frees.
+    
+    It was suggested allocating memory from the
+    stack can be a bit troublesome. So this patch
+    changes the memory allocation from the stack
+    to the heap which also eliminates the double frees.
+    
+    Fixes: 2936f109590e ("clnt_dg_call: Fix a buffer overflow (CVE-2016-4429)")
+    BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1552163
+    
+    Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/src/clnt_dg.c b/src/clnt_dg.c
+index 884a2db..04a2aba 100644
+--- a/src/clnt_dg.c
++++ b/src/clnt_dg.c
+@@ -430,7 +430,7 @@ get_reply:
+ 	  struct sockaddr_in err_addr;
+ 	  struct sockaddr_in *sin = (struct sockaddr_in *)&cu->cu_raddr;
+ 	  struct iovec iov;
+-	  char *cbuf = (char *) alloca (outlen + 256);
++	  char *cbuf = (char *) mem_alloc((outlen + 256));
+ 	  int ret;
+ 
+ 	  if (cbuf == NULL) 
+@@ -462,13 +462,13 @@ get_reply:
+ 		 cmsg = CMSG_NXTHDR (&msg, cmsg))
+ 	      if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
+ 		{
+-		  free(cbuf);
++		  mem_free(cbuf, (outlen + 256));
+ 		  e = (struct sock_extended_err *) CMSG_DATA(cmsg);
+ 		  cu->cu_error.re_errno = e->ee_errno;
+ 		  release_fd_lock(cu->cu_fd, mask);
+ 		  return (cu->cu_error.re_status = RPC_CANTRECV);
+ 		}
+-	  free(cbuf);
++	  mem_free(cbuf, (outlen + 256));
+ 	}
+ #endif
+ 

libtirpc.spec

@@ -2,7 +2,7 @@
 
 Name:			libtirpc
 Version:		1.0.2
-Release:		5.rc2%{?dist}
+Release:		6.rc2%{?dist}
 Summary:		Transport Independent RPC Library
 Group:		  	System Environment/Libraries
 License:		SISSL and BSD
@@ -10,6 +10,7 @@ URL:  			http://nfsv4.bullopensource.org/
 Source0:		http://downloads.sourceforge.net/libtirpc/libtirpc-%{version}.tar.bz2
 
 Patch001:			libtirpc-1.0.3-rc2.patch
+Patch002:			libtirpc-1.0.3-alloca.patch
 
 BuildRequires:		automake, autoconf, libtool, pkgconfig
 BuildRequires:		krb5-devel
@@ -41,6 +42,7 @@ developing programs which use the tirpc library.
 %setup -q
 
 %patch001 -p1 
+%patch002 -p1 
 
 # Remove .orig files
 find . -name "*.orig" | xargs rm -f
@@ -131,6 +133,9 @@ mv %{buildroot}%{_mandir}/man3 %{buildroot}%{_mandir}/man3t
 %{_mandir}/*/*
 
 %changelog
+* Tue Mar  6 2018 Steve Dickson <steved@redhat.com> 1.0.2-6.rc2
+- clnt_dg_call: Change the memory allocation
+
 * Thu Mar  1 2018 Steve Dickson <steved@redhat.com> 1.0.2-5.rc2
 - Update to latest upstream RC release: libtirpc-1-0-3-rc2 (bz 1337142)
 
@@ -140,7 +145,7 @@ mv %{buildroot}%{_mandir}/man3 %{buildroot}%{_mandir}/man3t
 * Tue Nov 14 2017 Steve Dickson <steved@redhat.com> 1.0.2-4
 - Update to latest upstream RC release: libtirpc-1-0-3-rc1
 
-* Tue Aug 22 2017 Petr Šabata <contyk@redhat.com> - 1.0.2-3
+* Tue Aug 22 2017 Petr abata <contyk@redhat.com> - 1.0.2-3
 - Fixing the FTBFS on behalf of Rafael Fonseca (rhbz#1482063)
 
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-2