diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index 521b4cd4c..a6b39b28c 100644
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,15 @@
+2010-09-10  Corinna Vinschen  <corinna@vinschen.de>
+
+	* flock.cc (allow_others_to_sync): Define MAX_PROCESS_SD_SIZE.  Use
+	instead of ACL_DEFAULT_SIZE.
+	* sec_acl.cc (setacl): Use TLS buffer to allow maximum ACL size.
+	* security.h (ACL_DEFAULT_SIZE): Drop definition.
+	(ACL_MAXIMUM_SIZE): Define.
+	(SD_MAXIMUM_SIZE): Define.
+	* security.cc (get_file_sd): Allocate security_decscriptor with size
+	SD_MAXIMUM_SIZE.
+	(alloc_sd): Use TLS buffer to allow maximum ACL size.
+
 2010-09-10  Corinna Vinschen  <corinna@vinschen.de>
 
 	* mount.cc (class fs_info_cache): New class to cache filesystem
diff --git a/winsup/cygwin/flock.cc b/winsup/cygwin/flock.cc
index 7d0436b11..c899361ff 100644
--- a/winsup/cygwin/flock.cc
+++ b/winsup/cygwin/flock.cc
@@ -155,10 +155,11 @@ allow_others_to_sync ()
      should be more than sufficient for process ACLs.  Can't use tls functions
      at this point because this gets called during initialization when the tls
      is not really available.  */
-  PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR) alloca (ACL_DEFAULT_SIZE);
+#define MAX_PROCESS_SD_SIZE	3072
+  PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR) alloca (MAX_PROCESS_SD_SIZE);
   status = NtQuerySecurityObject (NtCurrentProcess (),
 				  DACL_SECURITY_INFORMATION, sd,
-				  ACL_DEFAULT_SIZE, &len);
+				  MAX_PROCESS_SD_SIZE, &len);
   if (!NT_SUCCESS (status))
     {
       debug_printf ("NtQuerySecurityObject: %p", status);
diff --git a/winsup/cygwin/sec_acl.cc b/winsup/cygwin/sec_acl.cc
index fbf2bffa7..2650b45c8 100644
--- a/winsup/cygwin/sec_acl.cc
+++ b/winsup/cygwin/sec_acl.cc
@@ -22,6 +22,7 @@ details. */
 #include "dtable.h"
 #include "cygheap.h"
 #include "pwdgrp.h"
+#include "tls_pbuf.h"
 
 static int
 searchace (__aclent32_t *aclp, int nentries, int type, __uid32_t id = ILLEGAL_UID)
@@ -40,6 +41,7 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
 	bool &writable)
 {
   security_descriptor sd_ret;
+  tmp_pathbuf tp;
 
   if (get_file_sd (handle, pc, sd_ret, false))
     return -1;
@@ -83,7 +85,7 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
     }
 
   /* Fill access control list. */
-  PACL acl = (PACL) alloca (ACL_DEFAULT_SIZE);
+  PACL acl = (PACL) tp.w_get ();
   size_t acl_len = sizeof (ACL);
   int ace_off = 0;
 
@@ -92,7 +94,7 @@ setacl (HANDLE handle, path_conv &pc, int nentries, __aclent32_t *aclbufp,
   struct __group32 *gr;
   int pos;
 
-  if (!InitializeAcl (acl, ACL_DEFAULT_SIZE, ACL_REVISION))
+  if (!InitializeAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION))
     {
       __seterrno ();
       return -1;
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc
index e88fcf2fc..1052f98c0 100644
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -24,6 +24,7 @@ details. */
 #include "cygheap.h"
 #include "ntdll.h"
 #include "pwdgrp.h"
+#include "tls_pbuf.h"
 #include <aclapi.h>
 
 #define ALL_SECURITY_INFORMATION (DACL_SECURITY_INFORMATION \
@@ -68,7 +69,7 @@ get_file_sd (HANDLE fh, path_conv &pc, security_descriptor &sd,
 	  else
 	    {
 	      NTSTATUS status;
-	      ULONG len = 32768;
+	      ULONG len = SD_MAXIMUM_SIZE;
 
 	      if (!sd.malloc (len))
 		{
@@ -413,6 +414,7 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
 	  security_descriptor &sd_ret)
 {
   BOOL dummy;
+  tmp_pathbuf tp;
 
   /* NOTE: If the high bit of attribute is set, we have just created
      a file or directory.  See below for an explanation. */
@@ -483,8 +485,8 @@ alloc_sd (path_conv &pc, __uid32_t uid, __gid32_t gid, int attribute,
     }
 
   /* Initialize local access control list. */
-  PACL acl = (PACL) alloca (ACL_DEFAULT_SIZE);
-  if (!InitializeAcl (acl, ACL_DEFAULT_SIZE, ACL_REVISION))
+  PACL acl = (PACL) tp.w_get ();
+  if (!InitializeAcl (acl, ACL_MAXIMUM_SIZE, ACL_REVISION))
     {
       __seterrno ();
       return NULL;
diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h
index d38edc16d..198f0f075 100644
--- a/winsup/cygwin/security.h
+++ b/winsup/cygwin/security.h
@@ -26,7 +26,8 @@ details. */
 #define MAX_DACL_LEN(n) (sizeof (ACL) \
 		   + (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN))
 #define SD_MIN_SIZE (sizeof (SECURITY_DESCRIPTOR) + MAX_DACL_LEN (1))
-#define ACL_DEFAULT_SIZE 3072
+#define ACL_MAXIMUM_SIZE 65532	/* Yeah, right.  64K - sizeof (DWORD). */
+#define SD_MAXIMUM_SIZE 65536
 #define NO_SID ((PSID)NULL)
 
 #ifndef SE_CREATE_TOKEN_PRIVILEGE