From: Alejandro Colomar <alx@kernel.org>
Date: Thu, 31 Aug 2023 13:36:20 +0000 (+0200)
Subject: zustr2stp.h: Assert some assumptions about the size
X-Git-Tag: 4.15.0-rc1~185
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9514a841bc90d2a8f6b66768f79c995fe77514f3;p=thirdparty%2Fshadow.git

zustr2stp.h: Assert some assumptions about the size

If the destination buffer is an array, we can check our assumptions.
This adds a readable way to explain that dsize must be strictly > ssize.
The reason is that the destination string is the source + '\0'.

If the destination is not an array, it's up to _FORTIFY_SOURCE or
-fanalyzer to catch newly introduced errors.  There's nothing we can do;
at least not portably.

Suggested-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---

diff --git a/lib/zustr2stp.h b/lib/zustr2stp.h
index 7775fc6da..f2dbc741f 100644
--- a/lib/zustr2stp.h
+++ b/lib/zustr2stp.h
@@ -10,14 +10,21 @@
 
 #include <config.h>
 
+#include <assert.h>
 #include <stddef.h>
 #include <string.h>
 
 #include "mempcpy.h"
+#include "must_be.h"
 #include "sizeof.h"
 
 
-#define ZUSTR2STP(dst, src)  zustr2stp(dst, src, SIZEOF_ARRAY(src))
+#define ZUSTR2STP(dst, src)                                                   \
+({                                                                            \
+	static_assert(!is_array(dst) || sizeof(dst) > SIZEOF_ARRAY(src), ""); \
+                                                                              \
+	zustr2stp(dst, src, SIZEOF_ARRAY(src));                               \
+})
 
 
 inline char *zustr2stp(char *restrict dst, const char *restrict src, size_t sz);