From d42eed4a044e5e10dfb885cf9891c2518a72a491 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 27 Feb 2017 19:05:13 +0100 Subject: sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115] After commit bc779a1a5b3035133024b21e2f339fe4219fb11c (CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ #20112]), ancillary data is stored on the heap, but it is accessed after it has been freed. The test case must be run under a heap debugger such as valgrind to observe the invalid access. A malloc implementation which immediately calls munmap on free would catch this bug as well. --- sunrpc/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'sunrpc/Makefile') diff --git a/sunrpc/Makefile b/sunrpc/Makefile index 0c1e6124ff..daf8a28f1a 100644 --- a/sunrpc/Makefile +++ b/sunrpc/Makefile @@ -93,7 +93,7 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_cout.o rpc_parse.o \ extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs)) others += rpcgen -tests = tst-xdrmem tst-xdrmem2 test-rpcent +tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error xtests := tst-getmyaddr ifeq ($(have-thread-library),yes) @@ -155,6 +155,7 @@ BUILD_CPPFLAGS += $(sunrpc-CPPFLAGS) $(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so $(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so $(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so +$(objpfx)tst-udp-error: $(common-objpfx)linkobj/libc.so $(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs)) -- cgit 1.4.1