On Thu, Aug 12, 2021 at 03:43:56PM -0500, Eric Blake wrote: > > $ ./nbdkit -f memory 1 --filter=delay delay-read=1oopsms > > Oops - our use of sscanf didn't check for trailing garbage, and this > is behaving as delay-read=1ms. > > $ ./nbdkit -fv memory 1 --filter=delay delay-read=999999999999999999999ms > > Using gdb, I see that in glibc this results in the same as > delay-read=4294967295, but that behavior is unspecified by POSIX and > may result in other values on other platforms. Better would be > detecting overflow, but sscanf() cannot detect numeric overflow. > > Detecting trailing garbage could be done with sscanf(value, "%ums%n", > r, &n) == 1 followed by checking that n consumed strlen(value) bytes, > but detecting overflow really needs strtol() rather than sscanf. > > We have other filters and plugins that use sscanf. As long as their > inputs come from stable sources (such as scanning kernel /proc files) > or don't parse numbers, that is safe; but in general, use of sscanf to > parse user-provided data is risky.
I'm wondering if we want to add int nbdkit_parse_int_suffix (const char *what, const char *str, char **suff, int *r); and friends, which sets *suff to the first unparsed byte in str on a successful integer prefix parse. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org _______________________________________________ Libguestfs mailing list [email protected] https://listman.redhat.com/mailman/listinfo/libguestfs
