From 21fbdc4d0b1e7f9cabacc3587d07c62e01c7b5e8 Mon Sep 17 00:00:00 2001 From: yangqixiao Date: Tue, 30 Dec 2025 20:46:56 +0800 Subject: [PATCH] ntb/ntb_tool: correct sscanf format for u64 and size_t in tool_peer_mw_trans_write The sscanf() call in tool_peer_mw_trans_write() uses "%lli:%zi" to parse user input into 'u64 addr' and 'size_t wsize'. This is incorrect: - "%lli" expects a signed long long *, but 'addr' is u64 (unsigned). Input like "0x8000000000000000" is misinterpreted as negative, leading to corrupted address values. - "%zi" expects a signed ssize_t *, but 'wsize' is size_t (unsigned). Input of "-1" is successfully parsed and stored as SIZE_MAX (e.g., 0xFFFFFFFFFFFFFFFF), which may cause buffer overflows or infinite loops in subsequent memory operations. Fix by using format specifiers that match the actual variable types: - "%llu" for u64 (supports hex/decimal, standard for kernel u64 parsing) - "%zu" for size_t (standard and safe; rejects negative input) Signed-off-by: yangqixiao Reviewed-by: Dave Jiang Signed-off-by: Jon Mason --- drivers/ntb/test/ntb_tool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c index 641cb7e05a47..06881047f5bc 100644 --- a/drivers/ntb/test/ntb_tool.c +++ b/drivers/ntb/test/ntb_tool.c @@ -936,7 +936,7 @@ static ssize_t tool_peer_mw_trans_write(struct file *filep, buf[buf_size] = '\0'; - n = sscanf(buf, "%lli:%zi", &addr, &wsize); + n = sscanf(buf, "%llu:%zu", &addr, &wsize); if (n != 2) return -EINVAL; -- 2.30.2