From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Sat, 28 Mar 2026 22:00:25 +0000 (+0000)
Subject: creds-util: add assert for output buffer size overflow safety
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=24bdc49c23be1b71f72ebf20586cce07147c9d3e;p=thirdparty%2Fsystemd.git

creds-util: add assert for output buffer size overflow safety

Coverity flags the multi-term output.iov_len accumulation as a
potential overflow. Add an assert after the calculation to verify
the result is at least as large as the input, catching wraparound.

CID#1548068

Follow-up for 21bc0b6fa1de44b520353b935bf14160f9f70591
---

diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index e7db1ff7eff..6fedc500dc3 100644
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -1068,6 +1068,8 @@ int encrypt_credential_and_warn(
                 ALIGN8(offsetof(struct metadata_credential_header, name) + strlen_ptr(name)) +
                 input->iov_len + 2U * (size_t) bsz +
                 tsz;
+        /* Silence static analyzers */
+        assert(output.iov_len >= input->iov_len);
 
         output.iov_base = malloc0(output.iov_len);
         if (!output.iov_base)