On Fri, Dec 02, 2022 at 09:59:57AM +0000, Richard W.M. Jones wrote:
>
> In addition, please replace sscanf() with strtol(). The behavior of the
> former is undefined when the subject sequence forms a valid decimal
> string, but the numeric value does not fit into an "int". And, this is
> untrusted data. strtol() handles this securely (although strtol() is not
> trivial to use).
I really think we (meaning Eric :-) should get scanf fixed, but yes
I'll replace this with xstrol since we have it around.
POSIX is reluctant to add a sane errno setting for scanf failures on
integer overflow without existing practice, and we've probably missed
any window of raising it as a complaint to the C23 folks. It's been
known-broken for 30+ years, and no one has had any bright ideas how to
fix it so that code that cares can check for overflow without too much
boilerplate and existing code that doesn't expect errors doesn't
break. The strtol* family is the only portably safe way to parse
untrusted input as integers.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization:
qemu.org |
libvirt.org