sd-daemon: add assert before CMSG_SPACE subtraction

Coverity flags the subtraction from msg_controllen as a potential
underflow. The CMSG_SPACE was added when send_ucred was set, and
the subtraction only runs when send_ucred was true, so it is safe.
Add an assert to document this invariant.

CID#1548074

Follow-up for 64144440a5d2d94482f882b992fd2a4e0dca7a05

diff --git a/src/libsystemd/sd-daemon/sd-daemon.c b/src/libsystemd/sd-daemon/sd-daemon.c
index 2ab50287b4ffa2cef36e55997f4ebfc7a909224f..2937ac569c32160635812a34bffd88e0b5b02d5c 100644 (file)
--- a/src/libsystemd/sd-daemon/sd-daemon.c
+++ b/src/libsystemd/sd-daemon/sd-daemon.c
@@ -603,6 +603,8 @@ static int pid_notify_with_fds_internal(
                                 return log_debug_errno(errno, "Failed to send notify message to '%s': %m", e);
 
                         /* If that failed, try with our own ucred instead */
+                        /* Silence static analyzers */
+                        assert(msghdr.msg_controllen >= CMSG_SPACE(sizeof(struct ucred)));
                         msghdr.msg_controllen -= CMSG_SPACE(sizeof(struct ucred));
                         if (msghdr.msg_controllen == 0)
                                 msghdr.msg_control = NULL;