Bui,
> Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from > userspace to that buffer. Later, we use sscanf on this buffer but we don't > ensure that the string is terminated inside the buffer, this can lead to > OOB read when using sscanf. Fix this issue by using memdup_user_nul > instead of memdup_user. Applied to 6.10/scsi-staging, thanks! -- Martin K. Petersen Oracle Linux Engineering
