DF-0099
Off-by-one heap NUL-byte overflow in vfs_mountroot_try via ksscanf width/buffer-size mismatch
Summary
vfs_mountroot_try (vfs_conf.c:419-431): vfsname=kmalloc(MFSNAMELEN=16) devname=kmalloc(MNAMELEN=80); format ksprintf(patt,"%%%d[a-z0-9]:%%%ds",MFSNAMELEN,MNAMELEN) -> "%16[a-z0-9]:%80s" (:430); ksscanf(mf,patt,vfsname,devname) (:431). subr_scanf CT_CCL (:338-352) writes width chars then *p=0 NUL -> 16 chars+NUL=17 bytes into 16-byte vfsname = 1-byte heap NUL overflow; CT_STRING (:374-383) same -> 80 chars+NUL=81 into 80-byte devname. Fires BEFORE fstype validation (:435). MFSNAMELEN define mount.h:92 "incl null" confirms correct width must be -1. Boot-time only: console mountroot prompt (:558) or loader env vfs.root.mountfrom (:171). Fix: MFSNAMELEN-1/MNAMELEN-1.