From 44152e4b05fcc8bae5628cdb37342d9b7bd5ac3c Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Mon, 24 Mar 2014 11:06:30 +0100
Subject: Account for alloca use when collecting interface addresses (bug
 16002)

To reproduce:

	# ip li add name dummy0 type dummy
	# site_id=$(head -c6 /dev/urandom | od -tx2 -An | tr ' ' ':')
	# for ((i = 0; i < 65536; i++)) do
	> ip ad ad $(printf fd80$site_id::%04x $i)/128 dev dummy0
	> done
	# (ulimit -s 900; getent ahosts localhost)
	# ip li de dummy0
---
 sysdeps/unix/sysv/linux/check_pf.c | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

(limited to 'sysdeps/unix/sysv/linux')

diff --git a/sysdeps/unix/sysv/linux/check_pf.c b/sysdeps/unix/sysv/linux/check_pf.c
index 5c8e75affc..6d8468d467 100644
--- a/sysdeps/unix/sysv/linux/check_pf.c
+++ b/sysdeps/unix/sysv/linux/check_pf.c
@@ -139,9 +139,10 @@ make_request (int fd, pid_t pid)
 #endif
   bool use_malloc = false;
   char *buf;
+  size_t alloca_used = 0;
 
   if (__libc_use_alloca (buf_size))
-    buf = alloca (buf_size);
+    buf = alloca_account (buf_size, alloca_used);
   else
     {
       buf = malloc (buf_size);
@@ -163,6 +164,7 @@ make_request (int fd, pid_t pid)
   {
     struct in6addrinfo info;
     struct in6ailist *next;
+    bool use_malloc;
   } *in6ailist = NULL;
   size_t in6ailistlen = 0;
   bool seen_ipv4 = false;
@@ -239,7 +241,19 @@ make_request (int fd, pid_t pid)
 		    }
 		}
 
-	      struct in6ailist *newp = alloca (sizeof (*newp));
+	      struct in6ailist *newp;
+	      if (__libc_use_alloca (alloca_used + sizeof (*newp)))
+		{
+		  newp = alloca_account (sizeof (*newp), alloca_used);
+		  newp->use_malloc = false;
+		}
+	      else
+		{
+		  newp = malloc (sizeof (*newp));
+		  if (newp == NULL)
+		    goto out_fail;
+		  newp->use_malloc = true;
+		}
 	      newp->info.flags = (((ifam->ifa_flags
 				    & (IFA_F_DEPRECATED
 				       | IFA_F_OPTIMISTIC))
@@ -286,7 +300,10 @@ make_request (int fd, pid_t pid)
       do
 	{
 	  result->in6ai[--in6ailistlen] = in6ailist->info;
-	  in6ailist = in6ailist->next;
+	  struct in6ailist *next = in6ailist->next;
+	  if (in6ailist->use_malloc)
+	    free (in6ailist);
+	  in6ailist = next;
 	}
       while (in6ailist != NULL);
     }
@@ -302,7 +319,14 @@ make_request (int fd, pid_t pid)
     free (buf);
   return result;
 
-out_fail:
+ out_fail:
+  while (in6ailist != NULL)
+    {
+      struct in6ailist *next = in6ailist->next;
+      if (in6ailist->use_malloc)
+	free (in6ailist);
+      in6ailist = next;
+    }
   if (use_malloc)
     free (buf);
   return NULL;
-- 
cgit 1.4.1