[dm-devel] dm: Better number validation in sscanf

[Mike Snitzer]

On Wed, Feb 22 2012 at 10:53am -0500,
Mikulas Patocka <mpatocka at redhat.com> wrote:

> dm: Better number validation in sscanf
> 
> Device mapper uses sscanf to convert arguments to numbers. The problem is that
> sscanf ignores additional unmatched characters in the scanned string.
> 
> For example, this `if (sscanf(string, "%d", &number) == 1)' will match a number,
> but also it will match number with some garbage appended, like "123abc".
> 
> sscanf is used this way at a lot of places in the device mapper and
> as a result, device mapper accepts garbage after some numbers, for example
> the command `dmsetup create vg1-new --table "0 16384 linear 254:1bla 34816bla"'
> will pass without an error.
> 
> This patch fixes all sscanf uses in device mapper. The patch appends "%c" with
> a pointer to a dummy character variable to every sscanf statement.
> 
> The construct `if (sscanf(string, "%d%c", &number, &dummy) == 1)' succeeds
> only if string is a null-terminated number (optinally preceeded by some
> whitespace characters). If there is some character appended after the number,
> sscanf matches "%c", writes the character to the dummy variable and returns 2.
> We check the return value for 1, consequently we reject numbers with some
> garbage appended.
> 
> Signed-off-by: Mikulas Patocka <mpatocka at redhat.com>

Looks reasonable to me.

Acked-by: Mike Snitzer <snitzer at redhat.com>