qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v2] vmdk: Fix "%x" to PRIx32 in format strings f

From: Eric Blake
Subject: Re: [Qemu-devel] [PATCH v2] vmdk: Fix "%x" to PRIx32 in format strings for cid
Date: Thu, 17 Apr 2014 06:00:30 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 
On 04/17/2014 04:43 AM, Fam Zheng wrote:
> Signed-off-by: Fam Zheng <address@hidden>
> 
> ---
> v2: PRIx32 -> SCNx32. (Kevin)
> 
> Signed-off-by: Fam Zheng <address@hidden>
> ---

> +++ b/block/vmdk.c
> @@ -262,7 +262,7 @@ static uint32_t vmdk_read_cid(BlockDriverState *bs, int 
> parent)
>      p_name = strstr(desc, cid_str);
>      if (p_name != NULL) {
>          p_name += cid_str_size;
> -        sscanf(p_name, "%x", &cid);
> +        sscanf(p_name, "%" SCNx32, &cid);

sscanf() has undefined behavior on integer overflow.  This is not the
only vulnerable site in the code base, but if you are ever reading from
external input, and the ascii string being parsed does not fit in the
variable requested by SCNx32, you risk silently parsing the wrong
number.  It is always safer to use the strtol family (or a sane wrapper
thereof that gets errno handling correct) for parsing strings into
integers.  That said, I'm not going to reject this patch for using
sscanf, so much as suggest that you look into a followup patch to avoid it.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]