[asterisk-dev] Config reading and scanf with large numbers
snuffy
snuffy22 at gmail.com
Wed Jun 1 05:25:57 CDT 2016
Hello All,
I noticed a bug report ASTERISK-25972,
Looking through the code we do the following:
sscanf(string,"%30d",&my_int);
Now issue is an integer can't hold a number of 30 digits in length, 32bit
ints are safe with 9, and 64bit with 19.
If we set a value of %9d, if there are any more digits after the first 9
they will be lost but we know the value will be inside the range of an
integer.
For single value scans, like reading from config files we could 'mitigate'
by checking the strlen of the value we intend to read before running scanf,
if return is >9, emit a warning stating their value will be truncated and
read only the first 9 characters into the integer.
If we use just %d, followed by %n we can see how many characters have been
consumed, if we determine that it would be too large, emit a warning
stating that the value is most likely incorrect.
Am I barking up the wrong tree? thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20160601/42ab94bf/attachment.html>
More information about the asterisk-dev
mailing list