libtirpc/libtirpc-1.0.3-alloca.patch
Steve Dickson 62e251c24f clnt_dg_call: Change the memory allocation
Signed-off-by: Steve Dickson <steved@redhat.com>
2018-03-10 10:31:45 -05:00

52 lines
1.7 KiB
Diff

commit 7a42aa8af6779286aabb11a666f25f37ece98eb8
Author: Steve Dickson <steved@redhat.com>
Date: Tue Mar 6 13:05:17 2018 -0500
clnt_dg_call: Change the memory allocation
Commit 2936f109590e add free()s on memory that
was allocated from the stack (via alloca()).
That type memory is automatically freed so
those added free()s was causing a double frees.
It was suggested allocating memory from the
stack can be a bit troublesome. So this patch
changes the memory allocation from the stack
to the heap which also eliminates the double frees.
Fixes: 2936f109590e ("clnt_dg_call: Fix a buffer overflow (CVE-2016-4429)")
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1552163
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
diff --git a/src/clnt_dg.c b/src/clnt_dg.c
index 884a2db..04a2aba 100644
--- a/src/clnt_dg.c
+++ b/src/clnt_dg.c
@@ -430,7 +430,7 @@ get_reply:
struct sockaddr_in err_addr;
struct sockaddr_in *sin = (struct sockaddr_in *)&cu->cu_raddr;
struct iovec iov;
- char *cbuf = (char *) alloca (outlen + 256);
+ char *cbuf = (char *) mem_alloc((outlen + 256));
int ret;
if (cbuf == NULL)
@@ -462,13 +462,13 @@ get_reply:
cmsg = CMSG_NXTHDR (&msg, cmsg))
if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
{
- free(cbuf);
+ mem_free(cbuf, (outlen + 256));
e = (struct sock_extended_err *) CMSG_DATA(cmsg);
cu->cu_error.re_errno = e->ee_errno;
release_fd_lock(cu->cu_fd, mask);
return (cu->cu_error.re_status = RPC_CANTRECV);
}
- free(cbuf);
+ mem_free(cbuf, (outlen + 256));
}
#endif