From: Vladimir Sementsov-Ogievskiy Date: Mon, 6 Nov 2023 15:00:27 +0000 (+0000) Subject: util/filemonitor-inotify: qemu_file_monitor_watch(): assert no overflow X-Git-Tag: v8.2.0-rc0~28^2~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2e12dd405c6607b4f4566d4a93b79422213ba6a3;p=thirdparty%2Fqemu.git util/filemonitor-inotify: qemu_file_monitor_watch(): assert no overflow Prefer clear assertions instead of [im]possible array overflow. Signed-off-by: Vladimir Sementsov-Ogievskiy Reviewed-by: Peter Maydell Reviewed-by: Maksim Davydov Message-id: 20231017125941.810461-3-vsementsov@yandex-team.ru Signed-off-by: Peter Maydell --- diff --git a/util/filemonitor-inotify.c b/util/filemonitor-inotify.c index 2c45f7f1764..2121111f38b 100644 --- a/util/filemonitor-inotify.c +++ b/util/filemonitor-inotify.c @@ -81,16 +81,25 @@ static void qemu_file_monitor_watch(void *arg) /* Loop over all events in the buffer */ while (used < len) { - struct inotify_event *ev = - (struct inotify_event *)(buf + used); - const char *name = ev->len ? ev->name : ""; - QFileMonitorDir *dir = g_hash_table_lookup(mon->idmap, - GINT_TO_POINTER(ev->wd)); - uint32_t iev = ev->mask & - (IN_CREATE | IN_MODIFY | IN_DELETE | IN_IGNORED | - IN_MOVED_TO | IN_MOVED_FROM | IN_ATTRIB); + const char *name; + QFileMonitorDir *dir; + uint32_t iev; int qev; gsize i; + struct inotify_event *ev = (struct inotify_event *)(buf + used); + + /* + * We trust the kenel to provide valid buffer with complete event + * records. + */ + assert(len - used >= sizeof(struct inotify_event)); + assert(len - used - sizeof(struct inotify_event) >= ev->len); + + name = ev->len ? ev->name : ""; + dir = g_hash_table_lookup(mon->idmap, GINT_TO_POINTER(ev->wd)); + iev = ev->mask & + (IN_CREATE | IN_MODIFY | IN_DELETE | IN_IGNORED | + IN_MOVED_TO | IN_MOVED_FROM | IN_ATTRIB); used += sizeof(struct inotify_event) + ev->len;