Backport of: From 8482b536f9494a5d45196ab5b7e13040f5940261 Mon Sep 17 00:00:00 2001 From: <jnperlin@hydra.localnet> Date: Wed, 30 Sep 2015 21:55:09 +0200 Subject: [PATCH] [TALOS-CAN-0064] signed/unsiged clash could lead to buffer overun --- ChangeLog | 2 ++ ntpd/ntp_io.c | 15 +++++++++------ 2 files changed, 11 insertions(+), 6 deletions(-) Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c =================================================================== --- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c 2015-10-22 16:27:40.686182025 -0400 +++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c 2015-10-22 16:32:28.776865553 -0400 @@ -3255,7 +3255,7 @@ static inline int read_refclock_packet(SOCKET fd, struct refclockio *rp, l_fp ts) { - int i; + u_int read_count; int buflen; register struct recvbuf *rb; @@ -3272,11 +3272,14 @@ return (buflen); } - i = (rp->datalen == 0 - || rp->datalen > sizeof(rb->recv_space)) - ? sizeof(rb->recv_space) - : rp->datalen; - buflen = read(fd, (char *)&rb->recv_space, (unsigned)i); + /* TALOS-CAN-0064: avoid signed/unsigned clashes that can lead + * to buffer overrun and memory corruption + */ + if (rp->datalen <= 0 || rp->datalen > sizeof(rb->recv_space)) + read_count = sizeof(rb->recv_space); + else + read_count = (u_int)rp->datalen; + buflen = read(fd, (char *)&rb->recv_space, read_count); if (buflen < 0) { if (errno != EINTR && errno != EAGAIN)