util_libc: Clarify that conversion of syscall result is lossless.

briansmith · briansmith · commit 4cb5ca68d15e · 2024-06-02T13:02:19.000-07:00
diff --git a/src/util_libc.rs b/src/util_libc.rs
@@ -103,12 +103,23 @@ pub fn open_readonly(path: &[u8]) -> Result<libc::c_int, Error> {
 /// Thin wrapper around the `getrandom()` Linux system call
 #[cfg(any(target_os = "android", target_os = "linux"))]
 pub fn getrandom_syscall(buf: &mut [MaybeUninit<u8>]) -> libc::ssize_t {
-    unsafe {
+    let len: usize = core::cmp::min(buf.len(), libc::ssize_t::MAX.unsigned_abs());
+
+    let res: libc::c_long = unsafe {
         libc::syscall(
             libc::SYS_getrandom,
             buf.as_mut_ptr().cast::<core::ffi::c_void>(),
-            buf.len(),
+            len,
             0,
-        ) as libc::ssize_t
-    }
+        )
+    };
+
+    // c_long to ssize_t conversion is lossless.
+    const _: () =
+        assert!(core::mem::size_of::<libc::c_long>() == core::mem::size_of::<libc::ssize_t>());
+
+    // We clamped the request to `ssize_t::MAX` bytes so this lossless.
+    #[allow(clippy::cast_possible_truncation)]
+    let res = res as libc::ssize_t;
+    res
 }
