CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]

The call is technically in a loop, and under certain circumstances
(which are quite difficult to reproduce in a test case), alloca
can be invoked repeatedly during a single call to clntudp_call.
As a result, the available stack space can be exhausted (even
though individual alloca sizes are bounded implicitly by what
can fit into a UDP packet, as a side effect of the earlier
successful send operation).

(cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c)

diff --git a/ChangeLog b/ChangeLog
index 62794f26b6bea14dc59b99f5ef466bf680455edb..123274c27058fbd70dc14c0c3bfd8e0983376ca9 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-05-23  Florian Weimer  <fweimer@redhat.com>
+
+       CVE-2016-4429
+       [BZ #20112]
+       * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
+       payload.
+
 2016-05-02  Florian Weimer  <fweimer@redhat.com>
 
        [BZ #19573]

diff --git a/NEWS b/NEWS
index 94b731f11c5720f4a51e5152613cd87a3211160f..b0b981b1b777ca795504ede08966ebe0dd8518e8 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -26,7 +26,7 @@ Version 2.22.1
   17905, 18420, 18421, 18480, 18589, 18743, 18778, 18781, 18787, 18796,
   18870, 18887, 18921, 18928, 18969, 18985, 19003, 19018, 19048, 19058,
   19174, 19178, 19182, 19243, 19573, 19590, 19682, 19791, 19822, 19853,
-  19879, 19779, 20010.
+  19879, 19779, 20010, 20112.
 
 * The getnetbyname implementation in nss_dns had a potentially unbounded
   alloca call (in the form of a call to strdupa), leading to a stack
@@ -53,6 +53,10 @@ Version 2.22.1
   even after the fix for CVE-2013-4458 has been applied, potentially
   resulting in a stack overflow.  getaddrinfo now uses a heap allocation
   instead.  Reported by Michael Petlan.  (CVE-2016-3706)
+
+* The Sun RPC UDP client could exhaust all available stack space when
+  flooded with crafted ICMP and UDP messages.  Reported by Aldy Hernandez'
+  alloca plugin for GCC.  (CVE-2016-4429)
 \f
 Version 2.22
 

diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c
index 6ffa5f259009f44914767b1677085450d4b9d7cc..c818caff7e10dac7e9ce73e7bd14aaa26669cf7c 100644 (file)
--- a/sunrpc/clnt_udp.c
+++ b/sunrpc/clnt_udp.c
@@ -420,9 +420,15 @@ send_again:
          struct sock_extended_err *e;
          struct sockaddr_in err_addr;
          struct iovec iov;
-         char *cbuf = (char *) alloca (outlen + 256);
+         char *cbuf = malloc (outlen + 256);
          int ret;
 
+         if (cbuf == NULL)
+           {
+             cu->cu_error.re_errno = errno;
+             return (cu->cu_error.re_status = RPC_CANTRECV);
+           }
+
          iov.iov_base = cbuf + 256;
          iov.iov_len = outlen;
          msg.msg_name = (void *) &err_addr;
@@ -447,10 +453,12 @@ send_again:
                 cmsg = CMSG_NXTHDR (&msg, cmsg))
              if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
                {
+                 free (cbuf);
                  e = (struct sock_extended_err *) CMSG_DATA(cmsg);
                  cu->cu_error.re_errno = e->ee_errno;
                  return (cu->cu_error.re_status = RPC_CANTRECV);
                }
+         free (cbuf);
        }
 #endif
       do