On 02/16/2012 12:23 PM, malc wrote: > On Thu, 16 Feb 2012, Michael S. Tsirkin wrote: > >> Use scanf instead of manual string scanning. >> >> + >> + /* Parse [[<domain>:]<bus>:]<slot> */ >> + sscanf(addr, "%x:%x:%x%n", &dom, &bus, &slot, &n); > > sscanf can fail.
Worse, the *scanf family has undefined behavior on integer overflow. If addr contains "100000000000000:0:0", there's no telling whether it will be diagnosed as a parse error, or silently accepted and truncated, in which case, there's no telling what dom will contain. I cringe any time I see someone using scanf to parse numbers from arbitrary user input; I barely tolerate it for parsing things generated by the kernel, but even there, I won't ever use scanf myself. Same goes for atoi. _Only_ strtol and friends can robustly parse arbitrary input into integers. -- Eric Blake ebl...@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
