# sscanf() has bug?



## luo (Jan 5, 2012)

In my driver, I use sscanf() to create a string. I found the OS crashed. The test code is as following:


```
char buffer2[100] = {1};

        buffer2[0] = 1;
        buffer2[1] = 1;
        buffer2[2] = 1;
        buffer2[3] = 1;
        buffer2[4] = 1;
        buffer2[5] = 1;
        buffer2[6] = 1;
        buffer2[7] = 1;
        buffer2[8] = 0;
        sscanf(buffer2, "%c", '8');
        printf(buffer2);
```

OS:
FreeBSD 8.2-RELEASE (64bit)

Does sscanf() has bug in kernel space?


----------



## xibo (Jan 5, 2012)

No it doesn't have any kernel side bugs, because sscanf isn't a kernel call to begin with.

Most probably you are causing an invalid memory access detection when trying to write data (buffer2[0]) into 0x00000038 ('8') - i.e. element 0x38 of page 0 (a.k.a. the null- or nil-page) that is usually considered to be inaccessible, but this should crash your application, not the OS. Unless when saying OS crashed while refering to "crash within an OS shipped library".


----------



## monkeyboy (Jan 5, 2012)

No the OP is saying that he is crashing the kernel since that piece of code is in his driver. But you are right that usage of sscanf is faulty, by handling '8' to sscanf as a pointer to a char. BTW it never used to be ok to use stdio C library routines in the kernel. Maybe sscanf is ok, but certainly not as written.


----------



## Crivens (Jan 5, 2012)

It may very well crash the kernel because the code is simply and plainly buggy.

The scan functions take pointers as their vararg parameters, so the '8' better be a valid address to write to, because that is what sscanf is going to do. 

Maybe this will be settled in the fastest way possible when the OP simply says what he wants to achive. The answer is most likely 1 to 2 lines.


----------

