commit 7a42aa8af6779286aabb11a666f25f37ece98eb8
Author: Steve Dickson <steved@redhat.com>
Date:   Tue Mar 6 13:05:17 2018 -0500

    clnt_dg_call: Change the memory allocation
    
    Commit 2936f109590e add free()s on memory that
    was allocated from the stack (via alloca()).
    That type memory is automatically freed so
    those added free()s was causing a double frees.
    
    It was suggested allocating memory from the
    stack can be a bit troublesome. So this patch
    changes the memory allocation from the stack
    to the heap which also eliminates the double frees.
    
    Fixes: 2936f109590e ("clnt_dg_call: Fix a buffer overflow (CVE-2016-4429)")
    BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1552163
    
    Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Steve Dickson <steved@redhat.com>

diff --git a/src/clnt_dg.c b/src/clnt_dg.c
index 884a2db..04a2aba 100644
--- a/src/clnt_dg.c
+++ b/src/clnt_dg.c
@@ -430,7 +430,7 @@ get_reply:
 	  struct sockaddr_in err_addr;
 	  struct sockaddr_in *sin = (struct sockaddr_in *)&cu->cu_raddr;
 	  struct iovec iov;
-	  char *cbuf = (char *) alloca (outlen + 256);
+	  char *cbuf = (char *) mem_alloc((outlen + 256));
 	  int ret;
 
 	  if (cbuf == NULL) 
@@ -462,13 +462,13 @@ get_reply:
 		 cmsg = CMSG_NXTHDR (&msg, cmsg))
 	      if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
 		{
-		  free(cbuf);
+		  mem_free(cbuf, (outlen + 256));
 		  e = (struct sock_extended_err *) CMSG_DATA(cmsg);
 		  cu->cu_error.re_errno = e->ee_errno;
 		  release_fd_lock(cu->cu_fd, mask);
 		  return (cu->cu_error.re_status = RPC_CANTRECV);
 		}
-	  free(cbuf);
+	  mem_free(cbuf, (outlen + 256));
 	}
 #endif