On Fri, 29 Aug 2025 12:39:30 +0200 Ivan Vecera wrote:
> >> + strscpy(buf, *psrc, min(sizeof(buf), *psize));
> >> + rc = sscanf(buf, "%15s %u %n", name, &count, &pos);
> >> + if (!rc) {
> >> + /* No more data */
> >> + return 0;
> >> + } else if (rc == 1) {
> >> + ZL3073X_FW_ERR_MSG(zldev, extack, "invalid component size");
> >> + return -EINVAL;
> >> + }
> >> + *psrc += pos;
> >> + *psize -= pos;
> >
> > what if pos > *psize ? I think the parsing needs more care.
>
> This should not happen. strscpy copies min(32, *psize) from the source
> to buf and sscanf parses buf and fills pos by index from the buf.
> The pos cannot be greater than *psize...or did I miss something?
Glancing at it now, I think I was concerned that *psize will go
negative / wrap. So potentially leading to over-read of psrc,
rather than overflow of buf. But I could well be wrong..
