daemon: inotify: Check event->len in inotify struct is reasonable.

The Coverity error is this (which I think is wrong):

Error: TAINTED_SCALAR:
/builddir/build/BUILD/libguestfs-1.16.5/daemon/inotify.c:211: tainted_data_argument: Calling function "read" taints argument "inotify_buf".
/builddir/build/BUILD/libguestfs-1.16.5/daemon/inotify.c:232: var_assign_var: Assigning: "event" = "(struct inotify_event *)&inotify_buf[n]". Both are now tainted.
/builddir/build/BUILD/libguestfs-1.16.5/daemon/inotify.c:258: lower_bounds: Checking lower bounds of unsigned scalar "event->len" by "event->len > 0U".
/builddir/build/BUILD/libguestfs-1.16.5/daemon/inotify.c:272: var_assign_var: Compound assignment involving tainted variable "16UL + event->len" to variable "n" taints "n".
/builddir/build/BUILD/libguestfs-1.16.5/daemon/inotify.c:228: lower_bounds: Checking lower bounds of unsigned scalar "n" by "n < inotify_posn".
/builddir/build/BUILD/libguestfs-1.16.5/daemon/inotify.c:281: tainted_data: Using tainted variable "n" as an index into an array "inotify_buf".

Adding a sanity check of event->len is prudent.

daemon/inotify.c

@@ -21,6 +21,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <inttypes.h>
 #include <unistd.h>
 #include <fcntl.h>
 
@@ -240,6 +241,12 @@ do_inotify_read (void)
 #error "this code needs fixing so it works on non-GCC compilers"
 #endif
 
+      /* Check event->len is reasonable (note the field is uint32_t). */
+      if (event->len > PATH_MAX) {
+        reply_with_error ("event->len = %" PRIu32 " > PATH_MAX", event->len);
+        goto error;
+      }
+
       np = realloc (ret->guestfs_int_inotify_event_list_val,
                     (ret->guestfs_int_inotify_event_list_len + 1) *
                     sizeof (guestfs_int_inotify_event));