diff options
| author | Steve Dickson <steved@redhat.com> | 2018-03-06 13:05:17 -0500 |
|---|---|---|
| committer | Steve Dickson <steved@redhat.com> | 2018-03-07 09:10:39 -0500 |
| commit | 7a42aa8af6779286aabb11a666f25f37ece98eb8 (patch) | |
| tree | 6339b80f4d8cd3d4f9973c510c463acc891d07b7 /src | |
| parent | 2936f109590e6b30e64802b881afefc1e2d7ecf6 (diff) | |
| download | ti-rpc-7a42aa8af6779286aabb11a666f25f37ece98eb8.tar.gz | |
clnt_dg_call: Change the memory allocation
Commit 2936f109590e add free()s on memory that
was allocated from the stack (via alloca()).
That type memory is automatically freed so
those added free()s was causing a double frees.
It was suggested allocating memory from the
stack can be a bit troublesome. So this patch
changes the memory allocation from the stack
to the heap which also eliminates the double frees.
Fixes: 2936f109590e ("clnt_dg_call: Fix a buffer overflow (CVE-2016-4429)")
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1552163
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/clnt_dg.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/clnt_dg.c b/src/clnt_dg.c index 884a2db..04a2aba 100644 --- a/src/clnt_dg.c +++ b/src/clnt_dg.c @@ -430,7 +430,7 @@ get_reply: struct sockaddr_in err_addr; struct sockaddr_in *sin = (struct sockaddr_in *)&cu->cu_raddr; struct iovec iov; - char *cbuf = (char *) alloca (outlen + 256); + char *cbuf = (char *) mem_alloc((outlen + 256)); int ret; if (cbuf == NULL) @@ -462,13 +462,13 @@ get_reply: cmsg = CMSG_NXTHDR (&msg, cmsg)) if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) { - free(cbuf); + mem_free(cbuf, (outlen + 256)); e = (struct sock_extended_err *) CMSG_DATA(cmsg); cu->cu_error.re_errno = e->ee_errno; release_fd_lock(cu->cu_fd, mask); return (cu->cu_error.re_status = RPC_CANTRECV); } - free(cbuf); + mem_free(cbuf, (outlen + 256)); } #endif |