On Fri, Dec 02, 2022 at 09:59:57AM +0000, Richard W.M. Jones wrote: > > > > In addition, please replace sscanf() with strtol(). The behavior of the > > former is undefined when the subject sequence forms a valid decimal > > string, but the numeric value does not fit into an "int". And, this is > > untrusted data. strtol() handles this securely (although strtol() is not > > trivial to use). > > I really think we (meaning Eric :-) should get scanf fixed, but yes > I'll replace this with xstrol since we have it around.
POSIX is reluctant to add a sane errno setting for scanf failures on integer overflow without existing practice, and we've probably missed any window of raising it as a complaint to the C23 folks. It's been known-broken for 30+ years, and no one has had any bright ideas how to fix it so that code that cares can check for overflow without too much boilerplate and existing code that doesn't expect errors doesn't break. The strtol* family is the only portably safe way to parse untrusted input as integers. -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org _______________________________________________ Libguestfs mailing list Libguestfs@redhat.com https://listman.redhat.com/mailman/listinfo/libguestfs