"Michael S. Tsirkin" <m...@redhat.com> writes: > On Thu, Feb 16, 2012 at 01:39:02PM -0700, Eric Blake wrote: >> On 02/16/2012 12:23 PM, malc wrote: >> > On Thu, 16 Feb 2012, Michael S. Tsirkin wrote: >> > >> >> Use scanf instead of manual string scanning. >> >> >> >> + >> >> + /* Parse [[<domain>:]<bus>:]<slot> */ >> >> + sscanf(addr, "%x:%x:%x%n", &dom, &bus, &slot, &n); >> > >> > sscanf can fail. >> >> Worse, the *scanf family has undefined behavior on integer overflow. If >> addr contains "100000000000000:0:0", there's no telling whether it will >> be diagnosed as a parse error, or silently accepted and truncated, in >> which case, there's no telling what dom will contain. >> >> I cringe any time I see someone using scanf to parse numbers from >> arbitrary user input; I barely tolerate it for parsing things generated >> by the kernel, but even there, I won't ever use scanf myself. >> Same goes >> for atoi. _Only_ strtol and friends can robustly parse arbitrary input >> into integers. > > Seems easy to fix: I'll just set maximum field width of 8.
Nope. Functional change: "000000001.2" is no longer accepted. > Any other issues? Yes. 1. More functional changes, e.g. * "1" is no longer rejected when funcp != NULL Probably more. I'd be particularly wary of sscanf()'s appetite for space. 2. Diffstat: 1 files changed, 38 insertions(+), 43 deletions(-) Why bother?
