[TALOS-CAN-0064] signed/unsiged clash could lead to buffer overun

bk: 560c3e1dPn6ygkWFZ-3KWOgu-2txNg

diff --git a/ChangeLog b/ChangeLog
index ad54fc0de822b97180d8a536f2b74374612cdd77..dc99eab508f9b322fd210a78a52d8a7766592162 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,6 @@
 ---
+* [TALOS-CAN-0064] signed/unsiged clash could lead to buffer overun
+  and memory corruption. perlinger@ntp.org
 * [Bug 2332] (reopened) Exercise thread cancellation once before dropping
   privileges and limiting resources in NTPD removes the need to link
   forcefully against 'libgcc_s' which does not always work. J.Perlinger

diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index d5850064c43a5f6e1367ff5818de69945f8538dd..5fc6ed52acae0f58199d96c62643218d01b34de4 100644 (file)
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3242,7 +3242,7 @@ read_refclock_packet(
        l_fp                    ts
        )
 {
-       int                     i;
+       u_int                   read_count;
        int                     buflen;
        int                     saved_errno;
        int                     consumed;
@@ -3261,12 +3261,15 @@ read_refclock_packet(
                return (buflen);
        }
 
-       i = (rp->datalen == 0
-            || rp->datalen > (int)sizeof(rb->recv_space))
-               ? (int)sizeof(rb->recv_space)
-               : rp->datalen;
+       /* TALOS-CAN-0064: avoid signed/unsigned clashes that can lead
+        * to buffer overrun and memory corruption
+        */
+       if (rp->datalen <= 0 || rp->datalen > sizeof(rb->recv_space))
+               read_count = sizeof(rb->recv_space);
+       else
+               read_count = (u_int)rp->datalen;
        do {
-               buflen = read(fd, (char *)&rb->recv_space, (u_int)i);
+               buflen = read(fd, (char *)&rb->recv_space, read_count);
        } while (buflen < 0 && EINTR == errno);
 
        if (buflen <= 0) {