On Thu, Feb 16, 2012 at 01:39:02PM -0700, Eric Blake wrote: > On 02/16/2012 12:23 PM, malc wrote: > > On Thu, 16 Feb 2012, Michael S. Tsirkin wrote: > > > >> Use scanf instead of manual string scanning. > >> > >> + > >> + /* Parse [[<domain>:]<bus>:]<slot> */ > >> + sscanf(addr, "%x:%x:%x%n", &dom, &bus, &slot, &n); > > > > sscanf can fail. > > Worse, the *scanf family has undefined behavior on integer overflow. If > addr contains "100000000000000:0:0", there's no telling whether it will > be diagnosed as a parse error, or silently accepted and truncated, in > which case, there's no telling what dom will contain. > > I cringe any time I see someone using scanf to parse numbers from > arbitrary user input; I barely tolerate it for parsing things generated > by the kernel, but even there, I won't ever use scanf myself. > Same goes > for atoi. _Only_ strtol and friends can robustly parse arbitrary input > into integers.
Seems easy to fix: I'll just set maximum field width of 8. Any other issues? > -- > Eric Blake ebl...@redhat.com +1-919-301-3266 > Libvirt virtualization library http://libvirt.org >
