On Wed, Nov 06, 2013 at 10:34:24AM +0100, Stefan Hajnoczi wrote:
> On Tue, Nov 05, 2013 at 08:46:07AM -0700, Eric Blake wrote:
> > On 11/05/2013 07:37 AM, Stefan Hajnoczi wrote:
> >
> > >> +
> > >> + copy = strtol(n1, NULL, 10);
> > >> + if (copy > SD_MAX_COPIES) {
> > >> + return -EINVAL;
> > >> + }
> >
> > >
> > > The string manipulation can be simplified using sscanf(3) and
> > > is_numeric() can be dropped:
> > >
> > > static int parse_redundancy(BDRVSheepdogState *s, const char *opt)
> > > {
> > > struct SheepdogInode *inode = &s->inode;
> > > uint8_t copy, parity;
> > > int n;
> > >
> > > n = sscanf(opt, "%hhu:%hhu", ©, &parity);
> >
> > Personally, I detest the use of sscanf() to parse integers out of
> > strings, because POSIX says that behavior is undefined if overflow
> > occurs. For internal strings, you can get away with it. But for
> > untrusted input that did not originate in your process, a user can mess
> > you up by passing a string that parses larger than the integer you are
> > trying to store into, where the behavior is unspecified whether it wraps
> > around module 256, parses additional digits, or any other odd behavior.
> > By the time you've added code to sanitize untrusted input, it's just as
> > fast to use strtol() anyways.
>
> Hmm...I didn't know that overflow was undefined behavior in POSIX :(.
>
> In that case forget sscanf(3) can look at the strtol(3) result for
> errors. There's still no need for a custom is_numeric() function.
Thanks for your comments, I'll remove is_numeric() for v6
Thanks
Yuan
