Blob Blame History Raw
From 2e40c869df425738ef06e7159a16adf5bf82c548 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 10 Sep 2014 15:57:26 -0400
Subject: [PATCH 08/18] Try to avoid covscan freaking out about sscanf with %n.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

covscan says:

 5. efibootmgr-0.8.0/src/lib/disk.c:96:tainted_data_argument – Calling
 function "fgets(char * restrict, int, FILE * restrict)" taints argument
 "line".
 10. efibootmgr-0.8.0/src/lib/disk.c:103:vararg_transitive – Call to
 "sscanf(char const * restrict, char const * restrict, ...)" with
 tainted argument "line" taints "major".
 11. efibootmgr-0.8.0/src/lib/disk.c:103:vararg_transitive – Call to
 "sscanf(char const * restrict, char const * restrict, ...)" with
 tainted argument "line" taints "scanned".
 13. efibootmgr-0.8.0/src/lib/disk.c:103:tainted_data – Using tainted
 variable "scanned" as an index into an array "line".

I *think* that's really complaining that if sscanf fails before
processing %n, then "scanned" is indeterminate here.  So I've assigned
it to 0.

Either way, if any of that goes wrong, the code's going to completely
fail.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 src/lib/disk.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/lib/disk.c b/src/lib/disk.c
index 904010b..4536a67 100644
--- a/src/lib/disk.c
+++ b/src/lib/disk.c
@@ -56,7 +56,7 @@ get_virtblk_major(void)
 	}
 	while (fgets(line, sizeof line, f) != NULL) {
 		size_t len = strlen(line);
-		int major, scanned;
+		int major, scanned = 0;
 
 		if (len == 0 || line[len - 1] != '\n') {
 			break;
@@ -95,7 +95,7 @@ get_nvme_major(void)
 	}
 	while (fgets(line, sizeof line, f) != NULL) {
 		size_t len = strlen(line);
-		int major, scanned;
+		int major, scanned = 0;
 
 		if (len == 0 || line[len - 1] != '\n') {
 			break;
-- 
1.9.3