[PATCH v1] ntb/ntb_tool: correct sscanf format for u64 and size_t in tool_peer_mw_trans_write
From: yangqixiao
Date: Tue Dec 30 2025 - 07:48:14 EST
The sscanf() call in tool_peer_mw_trans_write() uses "%lli:%zi" to parse
user input into 'u64 addr' and 'size_t wsize'. This is incorrect:
- "%lli" expects a signed long long *, but 'addr' is u64 (unsigned).
Input like "0x8000000000000000" is misinterpreted as negative,
leading to corrupted address values.
- "%zi" expects a signed ssize_t *, but 'wsize' is size_t (unsigned).
Input of "-1" is successfully parsed and stored as SIZE_MAX
(e.g., 0xFFFFFFFFFFFFFFFF), which may cause buffer overflows
or infinite loops in subsequent memory operations.
Fix by using format specifiers that match the actual variable types:
- "%llu" for u64 (supports hex/decimal, standard for kernel u64 parsing)
- "%zu" for size_t (standard and safe; rejects negative input)
Signed-off-by: yangqixiao <yangqixiao@xxxxxxxxxx>
---
drivers/ntb/test/ntb_tool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c
index 641cb7e05a47..06881047f5bc 100644
--- a/drivers/ntb/test/ntb_tool.c
+++ b/drivers/ntb/test/ntb_tool.c
@@ -936,7 +936,7 @@ static ssize_t tool_peer_mw_trans_write(struct file *filep,
buf[buf_size] = '\0';
- n = sscanf(buf, "%lli:%zi", &addr, &wsize);
+ n = sscanf(buf, "%llu:%zu", &addr, &wsize);
if (n != 2)
return -EINVAL;
--
2.47.3