Backport of:

From 8482b536f9494a5d45196ab5b7e13040f5940261 Mon Sep 17 00:00:00 2001
From:  <jnperlin@hydra.localnet>
Date: Wed, 30 Sep 2015 21:55:09 +0200
Subject: [PATCH] [TALOS-CAN-0064] signed/unsiged clash could lead to buffer
 overun

---
 ChangeLog     |  2 ++
 ntpd/ntp_io.c | 15 +++++++++------
 2 files changed, 11 insertions(+), 6 deletions(-)

Index: ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c
===================================================================
--- ntp-4.2.6.p5+dfsg.orig/ntpd/ntp_io.c	2015-10-22 16:27:40.686182025 -0400
+++ ntp-4.2.6.p5+dfsg/ntpd/ntp_io.c	2015-10-22 16:32:28.776865553 -0400
@@ -3255,7 +3255,7 @@
 static inline int
 read_refclock_packet(SOCKET fd, struct refclockio *rp, l_fp ts)
 {
-	int i;
+	u_int read_count;
 	int buflen;
 	register struct recvbuf *rb;
 
@@ -3272,11 +3272,14 @@
 		return (buflen);
 	}
 
-	i = (rp->datalen == 0
-	     || rp->datalen > sizeof(rb->recv_space))
-		? sizeof(rb->recv_space)
-		: rp->datalen;
-	buflen = read(fd, (char *)&rb->recv_space, (unsigned)i);
+	/* TALOS-CAN-0064: avoid signed/unsigned clashes that can lead
+	 * to buffer overrun and memory corruption
+	 */
+	if (rp->datalen <= 0 || rp->datalen > sizeof(rb->recv_space))
+		read_count = sizeof(rb->recv_space);
+	else
+		read_count = (u_int)rp->datalen;
+	buflen = read(fd, (char *)&rb->recv_space, read_count);
 
 	if (buflen < 0) {
 		if (errno != EINTR && errno != EAGAIN)