A crafted XDR message containing a string or bytes entity with a particularly large size but no content could cause xdr_opaque to leak virtual memory. Since the memory is never accessed, physical pages are not mapped (unless sysctl vm.overcommit_memory=2 is in effect). This was discovered in the wake of CVE-2017-8779.
Created glibc tracking bugs for this issue:
Affects: fedora-all [bug 1448796]
Per discussion on the libc-alpha mailing list (linked https://sourceware.org/bugzilla/show_bug.cgi?id=21461#c7), this is an application vulnerability rather than a flaw in glibc. Users of the sunrpc library routines must be careful to use XDR_FREE, even when deserialisation failure occurs.