From: Juergen Perlinger <perlinger@ntp.org>
Date: Wed, 30 Sep 2015 19:55:09 +0000 (+0200)
Subject: [TALOS-CAN-0064] signed/unsiged clash could lead to buffer overun
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d7149a56000bdaedc598dd776c3002785ea7380a;p=thirdparty%2Fntp.git

[TALOS-CAN-0064] signed/unsiged clash could lead to buffer overun

bk: 560c3e1dPn6ygkWFZ-3KWOgu-2txNg
---

diff --git a/ChangeLog b/ChangeLog
index ad54fc0de..dc99eab50 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,6 @@
 ---
+* [TALOS-CAN-0064] signed/unsiged clash could lead to buffer overun
+  and memory corruption. perlinger@ntp.org
 * [Bug 2332] (reopened) Exercise thread cancellation once before dropping
   privileges and limiting resources in NTPD removes the need to link
   forcefully against 'libgcc_s' which does not always work. J.Perlinger
diff --git a/ntpd/ntp_io.c b/ntpd/ntp_io.c
index d5850064c..5fc6ed52a 100644
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -3242,7 +3242,7 @@ read_refclock_packet(
 	l_fp			ts
 	)
 {
-	int			i;
+	u_int			read_count;
 	int			buflen;
 	int			saved_errno;
 	int			consumed;
@@ -3261,12 +3261,15 @@ read_refclock_packet(
 		return (buflen);
 	}
 
-	i = (rp->datalen == 0
-	     || rp->datalen > (int)sizeof(rb->recv_space))
-		? (int)sizeof(rb->recv_space)
-		: rp->datalen;
+	/* TALOS-CAN-0064: avoid signed/unsigned clashes that can lead
+	 * to buffer overrun and memory corruption
+	 */
+	if (rp->datalen <= 0 || rp->datalen > sizeof(rb->recv_space))
+		read_count = sizeof(rb->recv_space);
+	else
+		read_count = (u_int)rp->datalen;
 	do {
-		buflen = read(fd, (char *)&rb->recv_space, (u_int)i);
+		buflen = read(fd, (char *)&rb->recv_space, read_count);
 	} while (buflen < 0 && EINTR == errno);
 
 	if (buflen <= 0) {