From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Tue, 7 Apr 2026 23:53:07 +0000 (+0100)
Subject: sd-event: validate ssi_signo fits in signed int
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fda487ef30b83002bda2470af7eefc855191db78;p=thirdparty%2Fsystemd.git

sd-event: validate ssi_signo fits in signed int

Coverity flags si.ssi_signo as tainted data from read(), and warns
that casting it to signed could produce a negative value. Add an
explicit range check against INT_MAX before the SIGNAL_VALID check
to prove the cast is safe.

CID#1548033

Follow-up for c8b53fcfd3463679e6475e9b57b61a97dac1a287
---

diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c
index ad82f308baa..19feff56688 100644
--- a/src/libsystemd/sd-event/sd-event.c
+++ b/src/libsystemd/sd-event/sd-event.c
@@ -3804,11 +3804,11 @@ static int process_signal(sd_event *e, struct signal_data *d, uint32_t events, i
                 if (_unlikely_(n != sizeof(si)))
                         return -EIO;
 
-                if (_unlikely_(!SIGNAL_VALID(si.ssi_signo)))
+                if (_unlikely_(si.ssi_signo > INT_MAX)) /* Ensure value fits in int before casting */
                         return -EIO;
 
-                /* Silence static analyzers */
-                assert(si.ssi_signo < _NSIG);
+                if (_unlikely_(!SIGNAL_VALID(si.ssi_signo)))
+                        return -EIO;
 
                 if (e->signal_sources)
                         s = e->signal_sources[si.ssi_signo];