On Fri, Feb 17, 2012 at 01:35:02PM +0100, Markus Armbruster wrote: > "Michael S. Tsirkin" <m...@redhat.com> writes: > > > On Thu, Feb 16, 2012 at 01:39:02PM -0700, Eric Blake wrote: > >> On 02/16/2012 12:23 PM, malc wrote: > >> > On Thu, 16 Feb 2012, Michael S. Tsirkin wrote: > >> > > >> >> Use scanf instead of manual string scanning. > >> >> > >> >> + > >> >> + /* Parse [[<domain>:]<bus>:]<slot> */ > >> >> + sscanf(addr, "%x:%x:%x%n", &dom, &bus, &slot, &n); > >> > > >> > sscanf can fail. > >> > >> Worse, the *scanf family has undefined behavior on integer overflow. If > >> addr contains "100000000000000:0:0", there's no telling whether it will > >> be diagnosed as a parse error, or silently accepted and truncated, in > >> which case, there's no telling what dom will contain. > >> > >> I cringe any time I see someone using scanf to parse numbers from > >> arbitrary user input; I barely tolerate it for parsing things generated > >> by the kernel, but even there, I won't ever use scanf myself. > >> Same goes > >> for atoi. _Only_ strtol and friends can robustly parse arbitrary input > >> into integers. > > > > Seems easy to fix: I'll just set maximum field width of 8. > > Nope. Functional change: "000000001.2" is no longer accepted.
OK, there's an easy way to fix with %*[0]%8x > > Any other issues? > > Yes. > > 1. More functional changes, e.g. > > * "1" is no longer rejected when funcp != NULL > > Probably more. I'd be particularly wary of sscanf()'s appetite for > space. BTW strtoul that we currently use skips whitespace silently too. We probably should validate input with %*[0-9a-f.:] beforehand to address this. > 2. Diffstat: 1 files changed, 38 insertions(+), 43 deletions(-) > > Why bother?
