52 lines
1.7 KiB
Diff
52 lines
1.7 KiB
Diff
commit 7a42aa8af6779286aabb11a666f25f37ece98eb8
|
|
Author: Steve Dickson <steved@redhat.com>
|
|
Date: Tue Mar 6 13:05:17 2018 -0500
|
|
|
|
clnt_dg_call: Change the memory allocation
|
|
|
|
Commit 2936f109590e add free()s on memory that
|
|
was allocated from the stack (via alloca()).
|
|
That type memory is automatically freed so
|
|
those added free()s was causing a double frees.
|
|
|
|
It was suggested allocating memory from the
|
|
stack can be a bit troublesome. So this patch
|
|
changes the memory allocation from the stack
|
|
to the heap which also eliminates the double frees.
|
|
|
|
Fixes: 2936f109590e ("clnt_dg_call: Fix a buffer overflow (CVE-2016-4429)")
|
|
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1552163
|
|
|
|
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
|
|
Signed-off-by: Steve Dickson <steved@redhat.com>
|
|
|
|
diff --git a/src/clnt_dg.c b/src/clnt_dg.c
|
|
index 884a2db..04a2aba 100644
|
|
--- a/src/clnt_dg.c
|
|
+++ b/src/clnt_dg.c
|
|
@@ -430,7 +430,7 @@ get_reply:
|
|
struct sockaddr_in err_addr;
|
|
struct sockaddr_in *sin = (struct sockaddr_in *)&cu->cu_raddr;
|
|
struct iovec iov;
|
|
- char *cbuf = (char *) alloca (outlen + 256);
|
|
+ char *cbuf = (char *) mem_alloc((outlen + 256));
|
|
int ret;
|
|
|
|
if (cbuf == NULL)
|
|
@@ -462,13 +462,13 @@ get_reply:
|
|
cmsg = CMSG_NXTHDR (&msg, cmsg))
|
|
if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
|
|
{
|
|
- free(cbuf);
|
|
+ mem_free(cbuf, (outlen + 256));
|
|
e = (struct sock_extended_err *) CMSG_DATA(cmsg);
|
|
cu->cu_error.re_errno = e->ee_errno;
|
|
release_fd_lock(cu->cu_fd, mask);
|
|
return (cu->cu_error.re_status = RPC_CANTRECV);
|
|
}
|
|
- free(cbuf);
|
|
+ mem_free(cbuf, (outlen + 256));
|
|
}
|
|
#endif
|
|
|