Standard sscanf isn't well designed for input validation: * no way to detect interger overflow * unmached tail text is ignored * no mandatory buffer overflow checks
All these problems were found in the wild in cgroup interfaces: https://patchwork.kernel.org/patch/10831387/ https://lore.kernel.org/patchwork/patch/1046130/ This patchset has patches for first two issues. Unbounded "%s" is out of scope for now. Second patch handles integer overlow as parse error: sscanf exits without touching related argument. Third patch adds convenient way for checking that whole text was matched and nothing left. Fourth adds missing standard features for %[...], this might be useful for input validation. Fifth adds __must_check and will generate some new warnings. The last is a simple test module for chechking some basic and new corner-cases added by this patchset. Code haven't chaneged much: $ ./scripts/bloat-o-meter lib/vsprintf.o.old lib/vsprintf.o.new add/remove: 0/0 grow/shrink: 1/0 up/down: 60/0 (60) Function old new delta vsscanf 2270 2330 +60 Total: Before=16904, After=16964, chg +0.35% Unbounded "%s" could be fixed only by making field width mandatory. There are only few users and in most cases sscanf could be eliminated. --- Konstantin Khlebnikov (6): lib: scanf: document features of scanf format string lib: scanf: handle integer overflows in vsscanf lib: scanf: add vsscanf feature for matching end of text lib: scanf: handle character ranges in %[...] lib: scanf: mark sscanf and vsscanf as __must_check lib: scanf: add test module include/linux/kernel.h | 10 ++ lib/Kconfig.debug | 3 + lib/Makefile | 1 lib/test_scanf.c | 252 ++++++++++++++++++++++++++++++++++++++++++++++++ lib/vsprintf.c | 153 +++++++++++++++++++++-------- 5 files changed, 376 insertions(+), 43 deletions(-) create mode 100644 lib/test_scanf.c -- Signature
