zustr2stp.h: Assert some assumptions about the size

If the destination buffer is an array, we can check our assumptions.
This adds a readable way to explain that dsize must be strictly > ssize.
The reason is that the destination string is the source + '\0'.

If the destination is not an array, it's up to _FORTIFY_SOURCE or
-fanalyzer to catch newly introduced errors.  There's nothing we can do;
at least not portably.

Suggested-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

diff --git a/lib/zustr2stp.h b/lib/zustr2stp.h
index 7775fc6dac7007808d0fda433fbb5d2cb379a329..f2dbc741f951a517894e8e93da60df6d86224e5a 100644 (file)
--- a/lib/zustr2stp.h
+++ b/lib/zustr2stp.h
@@ -10,14 +10,21 @@
 
 #include <config.h>
 
+#include <assert.h>
 #include <stddef.h>
 #include <string.h>
 
 #include "mempcpy.h"
+#include "must_be.h"
 #include "sizeof.h"
 
 
-#define ZUSTR2STP(dst, src)  zustr2stp(dst, src, SIZEOF_ARRAY(src))
+#define ZUSTR2STP(dst, src)                                                   \
+({                                                                            \
+       static_assert(!is_array(dst) || sizeof(dst) > SIZEOF_ARRAY(src), ""); \
+                                                                              \
+       zustr2stp(dst, src, SIZEOF_ARRAY(src));                               \
+})
 
 
 inline char *zustr2stp(char *restrict dst, const char *restrict src, size_t sz);