string_copy: assert() fail if the copy is too long

Add a hueristic: if the string copy is "too long", fail an assert().
This is based on the premise that Open MPI doesn't do large string
copies.  So if we see a dest_len that is over a certain threshhold
(currently set at 128K), this is likely a programmer error, and on
debug builds, we should fail an assert().  In production builds, it
will work just fine (assuming that it's not a programmer error).

Signed-off-by: Jeff Squyres <jsquyres@cisco.com>

opal/util/string_copy.c

@@ -9,15 +9,27 @@
 
 #include "opal_config.h"
 
+#include <assert.h>
+
 #include "opal/util/string_copy.h"
 
 
-void opal_string_copy(char *dest, const char *src, size_t len)
+void opal_string_copy(char *dest, const char *src, size_t dest_len)
 {
     size_t i;
     char *new_dest = dest;
 
-    for (i = 0; i < len; ++i, ++src, ++new_dest) {
+    // Open MPI does not do *giant* string copies.  Hence, we use the
+    // hueristic: if "dest_len" is too large, this is a programmer
+    // error.  We pseudo-arbitrarily pick a large value to be the max
+    // allowable dest_len: 128K.  If we ever need to increase this
+    // value someday (because something has a legit reason to
+    // opal_string_copy() more than 128K), the core dumps that are
+    // generated by the assert() failure should make this fairly
+    // obvious.
+    assert(dest_len <= OPAL_MAX_SIZE_ALLOWED_BY_OPAL_STRING_COPY);
+
+    for (i = 0; i < dest_len; ++i, ++src, ++new_dest) {
         *new_dest = *src;
         if ('\0' == *src) {
             return;

opal/util/string_copy.h

@@ -28,17 +28,23 @@ BEGIN_C_DECLS
 
 /**
  * Do a "safe" string copy (i.e., guarantee to \0-terminate the
- * destination string).
+ * destination string), and assert() fail if the copy length is too
+ * large (because we assume it is a programmer error).
  *
  * @param dest Destination string buffer.
  * @param src Source string buffer.
- * @param len Length of the destination string buffer.
+ * @param dest_len Length of the destination string buffer.
  *
  * This function is similar to, but different than, strcpy() and
  * strncpy().
  *
  * It is invalid to pass NULL for either dest or src.
  *
+ * If dest_len is larger than
+ * OPAL_MAX_SIZE_ALLOWED_BY_OPAL_STRING_COPY, we assume that this is
+ * a programmer error (because Open MPI does not generally need to do
+ * large string copies), and will assert() fail / abort.
+ *
  * There is no return value.
  *
  * This function will essentially do the same thing as strncpy(),
@@ -54,9 +60,16 @@ BEGIN_C_DECLS
  *   destination, and dest[len-1] will be set to '\0'.
  */
 OPAL_DECLSPEC void opal_string_copy(char *dest, const char *src,
-                                    size_t len)
+                                    size_t dest_len)
     __opal_attribute_nonnull__(1) __opal_attribute_nonnull__(2);
 
+/**
+ * Max dest_size allowed by opal_string_copy().
+ *
+ * See the description of opal_string_copy() for an explanation.
+ */
+#define OPAL_MAX_SIZE_ALLOWED_BY_OPAL_STRING_COPY (128 * 1024)
+
 END_C_DECLS
 
 #endif /* OPAL_STRING_COPY_H */