commit 1cef1b19089528db11f221e938f60b9b048945d7 Author: Andreas Schwab <schwab@suse.de> Date: Thu Mar 21 15:50:27 2013 +0100 Fix stack overflow in getaddrinfo with many results * CVE-2013-1914 Stack overflow in getaddrinfo with many results has been fixed (Bugzilla #15330). sysdeps/posix/getaddrinfo.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff -Nurp glibc-2.14.1/sysdeps/posix/getaddrinfo.c glibc-2.14.1.CVE-2013-1914/sysdeps/posix/getaddrinfo.c --- glibc-2.14.1/sysdeps/posix/getaddrinfo.c 2013-05-02 01:34:18.460657756 +0300 +++ glibc-2.14.1.CVE-2013-1914/sysdeps/posix/getaddrinfo.c 2013-05-02 01:40:56.897753351 +0300 @@ -2454,11 +2454,27 @@ getaddrinfo (const char *name, const cha __typeof (once) old_once = once; __libc_once (once, gaiconf_init); /* Sort results according to RFC 3484. */ - struct sort_result results[nresults]; - size_t order[nresults]; + struct sort_result *results; + size_t *order; struct addrinfo *q; struct addrinfo *last = NULL; char *canonname = NULL; + bool malloc_results; + + malloc_results + = !__libc_use_alloca (nresults * (sizeof (*results) + sizeof (size_t))); + if (malloc_results) + { + results = malloc (nresults * (sizeof (*results) + sizeof (size_t))); + if (results == NULL) + { + free (in6ai); + return EAI_MEMORY; + } + } + else + results = alloca (nresults * (sizeof (*results) + sizeof (size_t))); + order = (size_t *) (results + nresults); /* If we have information about deprecated and temporary addresses sort the array now. */ @@ -2625,6 +2641,9 @@ getaddrinfo (const char *name, const cha /* Fill in the canonical name into the new first entry. */ p->ai_canonname = canonname; + + if (malloc_results) + free (results); } free (in6ai);