Dan, > There are two bug in this code: > 1) If count is zero, then it will lead to a NULL dereference. The > kmalloc() will successfully allocate zero bytes and the test for > "if (buf[0] == '-')" will read beyond the end of the zero size buffer > and Oops. > 2) The code does not ensure that the user's string is properly NUL > terminated which could lead to a read overflow. Applied 1+2 to 6.7/scsi-staging, thanks! -- Martin K. Petersen Oracle Linux Engineering
