diff options
| author | yangqixiao <yangqixiao@inspur.com> | 2025-12-30 20:46:56 +0800 |
|---|---|---|
| committer | Jon Mason <jdmason@kudzu.us> | 2026-02-20 17:31:55 -0500 |
| commit | 21fbdc4d0b1e7f9cabacc3587d07c62e01c7b5e8 (patch) | |
| tree | 7a36b66242c91f820ce295f5f1d5b544a788e5b6 /drivers | |
| parent | 4921811678e93a83cbfebc14814a165ae794bf1d (diff) | |
ntb/ntb_tool: correct sscanf format for u64 and size_t in tool_peer_mw_trans_write
The sscanf() call in tool_peer_mw_trans_write() uses "%lli:%zi" to parse
user input into 'u64 addr' and 'size_t wsize'. This is incorrect:
- "%lli" expects a signed long long *, but 'addr' is u64 (unsigned).
Input like "0x8000000000000000" is misinterpreted as negative,
leading to corrupted address values.
- "%zi" expects a signed ssize_t *, but 'wsize' is size_t (unsigned).
Input of "-1" is successfully parsed and stored as SIZE_MAX
(e.g., 0xFFFFFFFFFFFFFFFF), which may cause buffer overflows
or infinite loops in subsequent memory operations.
Fix by using format specifiers that match the actual variable types:
- "%llu" for u64 (supports hex/decimal, standard for kernel u64 parsing)
- "%zu" for size_t (standard and safe; rejects negative input)
Signed-off-by: yangqixiao <yangqixiao@inspur.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/ntb/test/ntb_tool.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c index 641cb7e05a47..06881047f5bc 100644 --- a/drivers/ntb/test/ntb_tool.c +++ b/drivers/ntb/test/ntb_tool.c @@ -936,7 +936,7 @@ static ssize_t tool_peer_mw_trans_write(struct file *filep, buf[buf_size] = '\0'; - n = sscanf(buf, "%lli:%zi", &addr, &wsize); + n = sscanf(buf, "%llu:%zu", &addr, &wsize); if (n != 2) return -EINVAL; |