Bug 1337136 (CVE-2016-4429) - CVE-2016-4429 glibc: libtirpc: stack (frame) overflow in Sun RPC clntudp_call()
Summary: CVE-2016-4429 glibc: libtirpc: stack (frame) overflow in Sun RPC clntudp_call()
Alias: CVE-2016-4429
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1337140 1337142
TreeView+ depends on / blocked
Reported: 2016-05-18 11:45 UTC by Martin Prpič
Modified: 2019-09-29 13:49 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-05-18 11:54:03 UTC

Attachments (Terms of Use)
CVE-2016-4429 patch (946 bytes, text/plain)
2016-05-18 11:49 UTC, Martin Prpič
no flags Details

System ID Priority Status Summary Last Updated
Sourceware 20112 None None None 2019-03-12 12:11:19 UTC

Description Martin Prpič 2016-05-18 11:45:34 UTC
A stack frame overflow flaw was found in the glibc's clntudp_call(). A malicious server could use this flaw to flood a connecting client application with ICMP and UDP packets, triggering the stack overflow and resulting in a crash.

clntudp_call() contains an alloca call in a loop, which causes it to consume very large amounts of stack space.

The same faulty code is also present in the libtirpc library.

Comment 1 Martin Prpič 2016-05-18 11:45:49 UTC

Name: Aldy Hernandez (Red Hat)

Comment 2 Martin Prpič 2016-05-18 11:47:47 UTC
Created libtirpc tracking bugs for this issue:

Affects: fedora-all [bug 1337142]

Comment 3 Martin Prpič 2016-05-18 11:47:56 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1337140]

Comment 5 Martin Prpič 2016-05-18 11:49:36 UTC
Created attachment 1158765 [details]
CVE-2016-4429 patch

Comment 6 Adam Mariš 2016-07-07 08:31:42 UTC

Red Hat Product Security has rated this issue as having Low security impact, a future update may address this flaw.

Note You need to log in before you can comment on or make changes to this bug.