On Tue, Nov 05, 2013 at 08:46:07AM -0700, Eric Blake wrote:
> On 11/05/2013 07:37 AM, Stefan Hajnoczi wrote:
>
> >> +
> >> + copy = strtol(n1, NULL, 10);
> >> + if (copy > SD_MAX_COPIES) {
> >> + return -EINVAL;
> >> + }
>
> >
> > The string manipulation can be simplified using sscanf(3) and
> > is_numeric() can be dropped:
> >
> > static int parse_redundancy(BDRVSheepdogState *s, const char *opt)
> > {
> > struct SheepdogInode *inode = &s->inode;
> > uint8_t copy, parity;
> > int n;
> >
> > n = sscanf(opt, "%hhu:%hhu", ©, &parity);
>
> Personally, I detest the use of sscanf() to parse integers out of
> strings, because POSIX says that behavior is undefined if overflow
> occurs. For internal strings, you can get away with it. But for
> untrusted input that did not originate in your process, a user can mess
> you up by passing a string that parses larger than the integer you are
> trying to store into, where the behavior is unspecified whether it wraps
> around module 256, parses additional digits, or any other odd behavior.
> By the time you've added code to sanitize untrusted input, it's just as
> fast to use strtol() anyways.
Hmm...I didn't know that overflow was undefined behavior in POSIX :(.
In that case forget sscanf(3) can look at the strtol(3) result for
errors. There's still no need for a custom is_numeric() function.
Stefan
