On Mon, 06 Nov 2023 17:04:33 +0300, Dan Carpenter wrote:
> There are two bug in this code:
> 1) If count is zero, then it will lead to a NULL dereference. The
> kmalloc() will successfully allocate zero bytes and the test for
> "if (buf[0] == '-')" will read beyond the end of the zero size buffer
> and Oops.
> 2) The code does not ensure that the user's string is properly NUL
> terminated which could lead to a read overflow.
>
> [...]
Applied to 6.7/scsi-fixes, thanks!
[1/2] scsi: scsi_debug: scsi: scsi_debug: fix some bugs in sdebug_error_write()
https://git.kernel.org/mkp/scsi/c/860c3d03bbc3
[2/2] scsi: scsi_debug: delete some bogus error checking
https://git.kernel.org/mkp/scsi/c/037fbd3fcfbd
--
Martin K. Petersen Oracle Linux Engineering
