Skip to content

Use countof() where appropriate, and do it implicitly where possible#1588

Open
alejandro-colomar wants to merge 8 commits intoshadow-maint:masterfrom
alejandro-colomar:of
Open

Use countof() where appropriate, and do it implicitly where possible#1588
alejandro-colomar wants to merge 8 commits intoshadow-maint:masterfrom
alejandro-colomar:of

Conversation

@alejandro-colomar
Copy link
Copy Markdown
Collaborator

@alejandro-colomar alejandro-colomar commented Mar 16, 2026
edited
Loading

This improves bounds safety by using countof(3) where appropriate, and doing it implicitly where possible.

Cc: @kees

Revisions:

v1b
  • Update lib/string/README.
$ git rd 
1:  91814a70 = 1:  91814a70 lib/, src/, tests/: Use countof() or sizeof_a() where appropriate
2:  35962749 = 2:  35962749 lib/salt.c: crypt_make_salt(): Use countof() instead of a hardcoded value
3:  b53f7325 = 3:  b53f7325 lib/sizeof.h: endof(): Add macro
4:  f355a1b4 = 4:  f355a1b4 lib/fields.[ch]: change_field_a(): Add macro
5:  cd6d3c42 = 5:  cd6d3c42 src/: Use change_field_a() instead of its pattern
6:  39e963ed ! 6:  b5e41a06 lib/string/memset/: bzero_a(): Add macro
    @@ lib/Makefile.am: libshadow_la_SOURCES = \
        string/memset/memzero.h \
        string/sprintf/aprintf.c \
     
    + ## lib/string/README ##
    +@@ lib/string/README: ctype/ - Character classification and conversion functions
    + 
    + memset/ - Memory zeroing
    + 
    ++    bzero_a()
    ++  Like bzero(3), but takes an array.
    ++
    +     memzero()
    +   Synonym of explicit_bzero(3).
    +     memzero_a()
    +
      ## lib/string/memset/bzero.c (new) ##
     @@
     +// SPDX-FileCopyrightText: 2024, Alejandro Colomar <alx@kernel.org>
7:  b02d91a9 = 7:  210f91ef lib/: Use bzero_a() instead of its pattern
8:  077542bd = 8:  dd2262a8 lib/audit_help.c: Use countof() instead of sizeof()
v2
  • Consistently use sizeof_a() with read(2).
$ git rd 
1:  91814a70 ! 1:  580ccf69 lib/, src/, tests/: Use countof() or sizeof_a() where appropriate
    @@ src/newgidmap.c: static void write_setgroups(int proc_dir_fd, bool allow_setgrou
         * fail.
         */
     -  if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
    -+  if (read(setgroups_fd, policy_buffer, countof(policy_buffer)) < 0) {
    ++  if (read(setgroups_fd, policy_buffer, sizeof_a(policy_buffer)) < 0) {
                fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
                        Prog, strerrno());
                exit(EXIT_FAILURE);
2:  35962749 = 2:  3805154d lib/salt.c: crypt_make_salt(): Use countof() instead of a hardcoded value
3:  b53f7325 = 3:  aa6a3dcd lib/sizeof.h: endof(): Add macro
4:  f355a1b4 = 4:  d29e1cac lib/fields.[ch]: change_field_a(): Add macro
5:  cd6d3c42 = 5:  524beee5 src/: Use change_field_a() instead of its pattern
6:  b5e41a06 = 6:  2d4f61d4 lib/string/memset/: bzero_a(): Add macro
7:  210f91ef = 7:  68da424c lib/: Use bzero_a() instead of its pattern
8:  dd2262a8 = 8:  8ae2c113 lib/audit_help.c: Use countof() instead of sizeof()

@alejandro-colomar alejandro-colomar self-assigned this Mar 16, 2026
@alejandro-colomar
lib/, src/, tests/: Use countof() or sizeof_a() where appropriate
580ccf6 
sizeof() is dangerous with arrays.  We usually want to know the length
of the array, with countof(), and in very few cases, we want to know the
size (in bytes) of the array, with sizeof_a().  Use sizeof() only
with variables that are not arrays.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
lib/salt.c: crypt_make_salt(): Use countof() instead of a hardcoded v…
3805154 
…alue

Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
lib/sizeof.h: endof(): Add macro
aa6a3dc 
endof() returns a pointer to the end of an array, that is,
one after the last element.  It's similar to C++11's std::end().

Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
lib/fields.[ch]: change_field_a(): Add macro
d29e1ca 
It calculates the length of the array internally.
Rename the variable that stores the length.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
src/: Use change_field_a() instead of its pattern
524beee 
Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
lib/string/memset/: bzero_a(): Add macro
2d4f61d 
This is a bzero() wrapper for arrays.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
lib/: Use bzero_a() instead of its pattern
68da424 
Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
lib/audit_help.c: Use countof() instead of sizeof()
8ae2c11 
This is a count of the number of elements.  sizeof() works because
sizeof(char)==1, but it's more dangerous, as it blindly accepts other
types.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hallyn hallyn Awaiting requested review from hallyn

@ikerexxe ikerexxe Awaiting requested review from ikerexxe

At least 1 approving review is required to merge this pull request.

Assignees

@alejandro-colomar alejandro-colomar

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alejandro-colomar