Use ssp-buffer-size param when hardening

We used to enable ssp-buffer-size=1 only when building with
--enable-gcc-warnings. That would result in warnings (and no
protection for small arrays) when building with
--enable-gcc-hardening without enabling warnings, too. Fixes bug
2031.

Also remove an XXX: We now allow to build with -fstack-protector
by using --enable-gcc-hardening.

2 files changed, 7 insertions, 3 deletions

diff --git a/changes/bug2031 b/changes/bug2031
new file mode 100644
index 0000000000..59afc022e1
--- /dev/null
+++ b/changes/bug2031
@@ -0,0 +1,5 @@
+  o Minor bugfixes:
+    - Enable protection of small arrays whenever we build with gcc hardening
+      features, not only when also building with warnings enabled. Fixes bug
+      2031; bugfix on 0.2.2.14-alpha. Reported by keb.
+
diff --git a/configure.in b/configure.in
index 891daa82c1..7e72adaa33 100644
--- a/configure.in
+++ b/configure.in
@@ -99,7 +99,7 @@ AC_ARG_ENABLE(gcc-hardening,
 [if test x$enableval = xyes; then
     CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all"
     CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector -Wformat -Wformat-security"
-    CFLAGS="$CFLAGS -Wpointer-sign"
+    CFLAGS="$CFLAGS -Wpointer-sign --param ssp-buffer-size=1"
     LDFLAGS="$LDFLAGS -pie"
 fi])
 
@@ -892,9 +892,8 @@ if test x$enable_gcc_warnings = xyes || test x$enable_gcc_warnings_advisory = xy
 
   if test x$have_gcc42 = xyes ; then 
     # These warnings break gcc 4.0.2 and work on gcc 4.2
-    # XXXX020 Use -fstack-protector.
     # XXXX020 See if any of these work with earlier versions.
-    CFLAGS="$CFLAGS -Waddress -Wmissing-noreturn -Wnormalized=id -Woverride-init -Wstrict-overflow=1 --param ssp-buffer-size=1"
+    CFLAGS="$CFLAGS -Waddress -Wmissing-noreturn -Wnormalized=id -Woverride-init -Wstrict-overflow=1"
     # We used to use -Wstrict-overflow=5, but that breaks us heavily under 4.3.
   fi