CID 1168165 (#2 of 2): Untrusted array index read (TAINTED_SCALAR)
40. tainted_data: Using tainted variable "hoff" as an index into an
array "str"

$ man 3 scanf
n      Nothing  is expected; instead, the number of characters consumed
      thus far from the input is  stored  through  the  next  pointer,
      which  must  be  a  pointer  to  int.  This is not a conversion,
      although it can be suppressed with the *  assignment-suppression
      character.   The  C  standard says: "Execution of a %n directive
      does not increment the assignment count returned at the  comple‐
      tion of execution" but the Corrigendum seems to contradict this.
      Probably it is wise not to make any assumptions on the effect of
      %n conversions on the return value.

So it isn't not enough to check a return code from scanf().

Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>