In GCC 4.7+, gcc mistakenly does not stack protect functions that contain just a variable length array and no other (or only very small) arrays.
See http://gcc.gnu.org/PR68680 for details, just use -fstack-protector instead of -fstack-protector-strong.
E.g. -O2 -fstack-protector:
int process(char *);
uses_vla(unsigned long sz)
test fails with gcc-4.8.5-4.el7
test passes for gcc-4.8.5-9.el7
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.