From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-alpha-bounces@sourceware.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham
	autolearn_force=no version=3.4.2
Received: from sourceware.org (server2.sourceware.org [8.43.85.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by dcvr.yhbt.net (Postfix) with ESMTPS id 39DFE1F55B
	for <e@80x24.org>; Tue, 26 May 2020 09:30:52 +0000 (UTC)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 2E2973894419;
	Tue, 26 May 2020 09:30:51 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2E2973894419
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1590485451;
	bh=EKbqsmazVDtsT6Bswp6E7/morjoeGHJ5BUsnrKJBLUg=;
	h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=jYE9lxMeW+XTK7yvzKFKoKebSjfZOw93D7dZJJgSZ8SgXKWPc55unLOKUdysNwiVH
	 tNEucXpLSb3gKeYWDIQCxDaVzXxTyq/KhCuZkErZUyDK7O7XBefn4qXXyFbQyCKilZ
	 2LzOIRPSpTbfwJEIpo7lU/DQi6Bq2c2sSOc2GJUA=
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [205.139.110.120])
 by sourceware.org (Postfix) with ESMTP id D81343893676
 for <libc-alpha@sourceware.org>; Tue, 26 May 2020 09:30:48 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org D81343893676
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-310-hoEu5_ZVMB6SuPeeRbBPAw-1; Tue, 26 May 2020 05:30:46 -0400
X-MC-Unique: hoEu5_ZVMB6SuPeeRbBPAw-1
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 828B5100A620;
 Tue, 26 May 2020 09:30:45 +0000 (UTC)
Received: from localhost (ovpn-112-79.ams2.redhat.com [10.36.112.79])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 6FD4C9007F;
 Tue, 26 May 2020 09:30:42 +0000 (UTC)
Date: Tue, 26 May 2020 10:30:41 +0100
To: Rich Felker <dalias@libc.org>
Subject: Re: [Libguestfs] RFC: *scanf vs. overflow
Message-ID: <20200526093041.GL7304@redhat.com>
References: <f3e5f1dc-d8cf-4fba-fa7f-97e6e5218660@redhat.com>
 <20200523011614.GE1079@brightrain.aerifal.cx>
 <f96bf232-878f-6981-5214-988d0b65ae14@cs.ucla.edu>
 <20200523161143.GI1079@brightrain.aerifal.cx>
 <900d665c-40be-bd1b-215a-391cded68d3b@cs.ucla.edu>
 <20200523164500.GK1079@brightrain.aerifal.cx>
MIME-Version: 1.0
In-Reply-To: <20200523164500.GK1079@brightrain.aerifal.cx>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
From: "Richard W.M. Jones via Libc-alpha" <libc-alpha@sourceware.org>
Reply-To: "Richard W.M. Jones" <rjones@redhat.com>
Cc: glibc list <libc-alpha@sourceware.org>,
 "libguestfs@redhat.com" <libguestfs@redhat.com>
Errors-To: libc-alpha-bounces@sourceware.org
Sender: "Libc-alpha" <libc-alpha-bounces@sourceware.org>

On Sat, May 23, 2020 at 12:45:01PM -0400, Rich Felker wrote:
> I don't follow. *Any* use of scanf on untrusted input is "vulnerable
> to the integer-overflow issue" in the sense that overflow is UB. This
> is not something subtle.

{,s}scanf is a useful, natural way to parse strings, and strto* is a
horrible interface with many bear traps.  It seems to me scanf could
be changed to make it safe for overflow, simply by stopping parsing at
the point where the overflow occurs and returning a short count (or
the various other ideas suggested already in this thread).

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top