From ae0f9f149b2b527b924d4532aa38302056d8a6b0 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 8 Mar 2012 13:53:04 +0000 Subject: [PATCH] daemon: inotify: Check event->len in inotify struct is reasonable. The Coverity error is this (which I think is wrong): Error: TAINTED_SCALAR: /builddir/build/BUILD/libguestfs-1.16.5/daemon/inotify.c:211: tainted_data_argument: Calling function "read" taints argument "inotify_buf". /builddir/build/BUILD/libguestfs-1.16.5/daemon/inotify.c:232: var_assign_var: Assigning: "event" = "(struct inotify_event *)&inotify_buf[n]". Both are now tainted. /builddir/build/BUILD/libguestfs-1.16.5/daemon/inotify.c:258: lower_bounds: Checking lower bounds of unsigned scalar "event->len" by "event->len > 0U". /builddir/build/BUILD/libguestfs-1.16.5/daemon/inotify.c:272: var_assign_var: Compound assignment involving tainted variable "16UL + event->len" to variable "n" taints "n". /builddir/build/BUILD/libguestfs-1.16.5/daemon/inotify.c:228: lower_bounds: Checking lower bounds of unsigned scalar "n" by "n < inotify_posn". /builddir/build/BUILD/libguestfs-1.16.5/daemon/inotify.c:281: tainted_data: Using tainted variable "n" as an index into an array "inotify_buf". Adding a sanity check of event->len is prudent. --- daemon/inotify.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/daemon/inotify.c b/daemon/inotify.c index df6b2e8d5..6c00fd056 100644 --- a/daemon/inotify.c +++ b/daemon/inotify.c @@ -21,6 +21,7 @@ #include #include #include +#include #include #include @@ -240,6 +241,12 @@ do_inotify_read (void) #error "this code needs fixing so it works on non-GCC compilers" #endif + /* Check event->len is reasonable (note the field is uint32_t). */ + if (event->len > PATH_MAX) { + reply_with_error ("event->len = %" PRIu32 " > PATH_MAX", event->len); + goto error; + } + np = realloc (ret->guestfs_int_inotify_event_list_val, (ret->guestfs_int_inotify_event_list_len + 1) * sizeof (guestfs_int_inotify_event));