On Mon, Oct 20, 2025 at 03:01:15PM -0700, Kees Cook wrote:
> Introduce __counted_by_ptr(), which works like __counted_by(), but for
> pointer struct members:
>
> struct foo {
> int a, b, c;
> char *buffer __counted_by_ptr(bytes);
> short nr_bars;
> struct bar *bars __counted_by_ptr(nr_bars);
> size_t bytes;
> };
>
> Since "counted_by" can only be applied to pointer members in very recent
> compiler versions, its application ends up needing to be distinct from
> flexible array "counted_by" annotations, hence a separate macro.
>
> Unfortunately, this annotation cannot be used for "void *" members
> (since such a member is considered a pointer to an incomplete type,
> and neither Clang nor GCC developers could be convinced otherwise[1],
> even in the face of the GNU extension that "void *" has size "1 byte"
> for pointer arithmetic). For "void *" members, we must use the coming
> "sized_by" attribute.
So why do we need both __counted_by_ptr() and this __sized_by(), won't
one be good enough?
Also, given the existing __counted_by() is really only usable with
>=19.1.3 and we're now at 22-ish, do we really need two of these?
That is, I'm really hating the idea we need 3 different annotations for
what is effectively the same thing and feel we should try *really* hard
to make it 1.
