Flawfinder : remove atol and atof, replace with strtoll and strtof

Flawfinder reminds us that unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). https://cwe.mitre.org/data/definitions/190.html replace these library calls with strtoll and strtof, and include more error checking. Signed-off-by: Robin Getz <[email protected]>
analogdevicesinc · May 19, 2020 · fd23a0b · fd23a0b
1 parent 8606010
commit fd23a0b
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 11 deletions.
diff --git a/local.c b/local.c
@@ -1221,9 +1221,16 @@ static int handle_protected_scan_element_attr(struct iio_channel *chn,
 
 	if (!strcmp(name, "index")) {
 		ret = local_read_dev_attr(dev, path, buf, sizeof(buf), false);
-		if (ret > 0)
-			chn->index = atol(buf);
+		if (ret > 0) {
+			char *end;
+			long long value;
+
+			value = strtoll(buf, &end, 0);
+			if (end == buf || value > LONG_MAX)
+				return -EINVAL;
 
+			chn->index = (long) value;
+		}
 	} else if (!strcmp(name, "type")) {
 		ret = local_read_dev_attr(dev, path, buf, sizeof(buf), false);
 		if (ret > 0) {
@@ -1917,16 +1924,21 @@ static const struct iio_backend_ops local_ops = {
 
 static void init_data_scale(struct iio_channel *chn)
 {
-	char buf[1024];
+	char *end, buf[1024];
 	ssize_t ret;
+	float value;
 
+	chn->format.with_scale = false;
 	ret = iio_channel_attr_read(chn, "scale", buf, sizeof(buf));
-	if (ret < 0) {
-		chn->format.with_scale = false;
-	} else {
-		chn->format.with_scale = true;
-		chn->format.scale = atof(buf);
-	}
+	if (ret < 0)
+		return;
+
+	value = strtof(buf, &end);
+	if (end == buf)
+		return;
+
+	chn->format.with_scale = true;
+	chn->format.scale = value;
 }
 
 static void init_scan_elements(struct iio_context *ctx)

diff --git a/xml.c b/xml.c
@@ -139,7 +139,13 @@ static void setup_scan_element(struct iio_channel *chn, xmlNode *n)
 		const char *name = (const char *) attr->name,
 		      *content = (const char *) attr->children->content;
 		if (!strcmp(name, "index")) {
-			chn->index = atol(content);
+			char *end;
+			long long value;
+
+			value = strtoll(content, &end, 0);
+			if (end == content || value > LONG_MAX)
+				return;
+			chn->index = (long) value;
 		} else if (!strcmp(name, "format")) {
 			char e, s;
 			if (strchr(content, 'X')) {
@@ -170,8 +176,17 @@ static void setup_scan_element(struct iio_channel *chn, xmlNode *n)
 			chn->format.is_fully_defined = (s == 'S' || s == 'U' ||
 				chn->format.bits == chn->format.length);
 		} else if (!strcmp(name, "scale")) {
+			char *end;
+			float value;
+
+			value = strtof(content, &end);
+			if (end == content) {
+				chn->format.with_scale = false;
+				return;
+			}
+
 			chn->format.with_scale = true;
-			chn->format.scale = atof(content);
+			chn->format.scale = value;
 		} else {
 			IIO_WARNING("Unknown attribute \'%s\' in <scan-element>\n",
 					name);