1. Patchew
  2. linux
  3. View series

[PATCH v1] ntb/ntb_tool: correct sscanf format for u64 and size_t in tool_peer_mw_trans_write

yangqixiao posted 1 patch 1 month, 1 week ago 
drivers/ntb/test/ntb_tool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH v1] ntb/ntb_tool: correct sscanf format for u64 and size_t in tool_peer_mw_trans_write
Posted by yangqixiao 1 month, 1 week ago 
The sscanf() call in tool_peer_mw_trans_write() uses "%lli:%zi" to parse
user input into 'u64 addr' and 'size_t wsize'. This is incorrect:

 - "%lli" expects a signed long long *, but 'addr' is u64 (unsigned).
   Input like "0x8000000000000000" is misinterpreted as negative,
   leading to corrupted address values.

 - "%zi" expects a signed ssize_t *, but 'wsize' is size_t (unsigned).
   Input of "-1" is successfully parsed and stored as SIZE_MAX
   (e.g., 0xFFFFFFFFFFFFFFFF), which may cause buffer overflows
   or infinite loops in subsequent memory operations.

Fix by using format specifiers that match the actual variable types:
 - "%llu" for u64 (supports hex/decimal, standard for kernel u64 parsing)
 - "%zu" for size_t (standard and safe; rejects negative input)

Signed-off-by: yangqixiao <yangqixiao@inspur.com>
---
 drivers/ntb/test/ntb_tool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c
index 641cb7e05a47..06881047f5bc 100644
--- a/drivers/ntb/test/ntb_tool.c
+++ b/drivers/ntb/test/ntb_tool.c
@@ -936,7 +936,7 @@ static ssize_t tool_peer_mw_trans_write(struct file *filep,
 
 	buf[buf_size] = '\0';
 
-	n = sscanf(buf, "%lli:%zi", &addr, &wsize);
+	n = sscanf(buf, "%llu:%zu", &addr, &wsize);
 	if (n != 2)
 		return -EINVAL;
 
-- 
2.47.3
Re: [PATCH v1] ntb/ntb_tool: correct sscanf format for u64 and size_t in tool_peer_mw_trans_write
Posted by Dave Jiang 1 month ago 

On 12/30/25 5:46 AM, yangqixiao wrote:
> The sscanf() call in tool_peer_mw_trans_write() uses "%lli:%zi" to parse
> user input into 'u64 addr' and 'size_t wsize'. This is incorrect:
> 
>  - "%lli" expects a signed long long *, but 'addr' is u64 (unsigned).
>    Input like "0x8000000000000000" is misinterpreted as negative,
>    leading to corrupted address values.
> 
>  - "%zi" expects a signed ssize_t *, but 'wsize' is size_t (unsigned).
>    Input of "-1" is successfully parsed and stored as SIZE_MAX
>    (e.g., 0xFFFFFFFFFFFFFFFF), which may cause buffer overflows
>    or infinite loops in subsequent memory operations.
> 
> Fix by using format specifiers that match the actual variable types:
>  - "%llu" for u64 (supports hex/decimal, standard for kernel u64 parsing)
>  - "%zu" for size_t (standard and safe; rejects negative input)
> 
> Signed-off-by: yangqixiao <yangqixiao@inspur.com>

Reviewed-by: Dave Jiang <dave.jiang@intel.com>

> ---
>  drivers/ntb/test/ntb_tool.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c
> index 641cb7e05a47..06881047f5bc 100644
> --- a/drivers/ntb/test/ntb_tool.c
> +++ b/drivers/ntb/test/ntb_tool.c
> @@ -936,7 +936,7 @@ static ssize_t tool_peer_mw_trans_write(struct file *filep,
>  
>  	buf[buf_size] = '\0';
>  
> -	n = sscanf(buf, "%lli:%zi", &addr, &wsize);
> +	n = sscanf(buf, "%llu:%zu", &addr, &wsize);
>  	if (n != 2)
>  		return -EINVAL;
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.