Index: rf_disks.c
===================================================================
RCS file: /cvsroot/src/sys/dev/raidframe/rf_disks.c,v
retrieving revision 1.91
diff -p -u -r1.91 rf_disks.c
--- rf_disks.c	9 Feb 2019 03:34:00 -0000	1.91
+++ rf_disks.c	10 Aug 2022 02:52:39 -0000
@@ -318,11 +318,12 @@ static int
 rf_AllocDiskStructures(RF_Raid_t *raidPtr, RF_Config_t *cfgPtr)
 {
 	int ret;
+	size_t entries = raidPtr->numCol + RF_MAXSPARE;
 
 	/* We allocate RF_MAXSPARE on the first row so that we
 	   have room to do hot-swapping of spares */
-	raidPtr->Disks = RF_MallocAndAdd((raidPtr->numCol + RF_MAXSPARE) *
-	    sizeof(*raidPtr->Disks), raidPtr->cleanupList);
+	raidPtr->Disks = RF_MallocAndAdd(
+	    entries * sizeof(*raidPtr->Disks), raidPtr->cleanupList);
 	if (raidPtr->Disks == NULL) {
 		ret = ENOMEM;
 		goto fail;
@@ -330,9 +331,7 @@ rf_AllocDiskStructures(RF_Raid_t *raidPt
 
 	/* get space for device specific stuff.. */
 	raidPtr->raid_cinfo = RF_MallocAndAdd(
-	    (raidPtr->numCol + RF_MAXSPARE) * sizeof(*raidPtr->raid_cinfo),
-	    raidPtr->cleanupList);
-
+	    entries * sizeof(*raidPtr->raid_cinfo), raidPtr->cleanupList);
 	if (raidPtr->raid_cinfo == NULL) {
 		ret = ENOMEM;
 		goto fail;
@@ -607,7 +606,8 @@ rf_ConfigureDisk(RF_Raid_t *raidPtr, cha
 	error = dk_lookup(pb, curlwp, &vp);
 	pathbuf_destroy(pb);
 	if (error) {
-		printf("dk_lookup on device: %s failed!\n", diskPtr->devname);
+		printf("dk_lookup on device: '%s' failed: %d\n",
+		    diskPtr->devname, error);
 		if (error == ENXIO) {
 			/* the component isn't there... must be dead :-( */
 			diskPtr->status = rf_ds_failed;
Index: rf_driver.c
===================================================================
RCS file: /cvsroot/src/sys/dev/raidframe/rf_driver.c,v
retrieving revision 1.135
diff -p -u -r1.135 rf_driver.c
--- rf_driver.c	9 Feb 2019 03:34:00 -0000	1.135
+++ rf_driver.c	10 Aug 2022 02:52:39 -0000
@@ -350,6 +350,11 @@ rf_Configure(RF_Raid_t *raidPtr, RF_Conf
 			  (void (*) (void *)) rf_FreeAllocList,
 			  raidPtr->cleanupList);
 
+	KASSERT(cfgPtr->numCol < RF_MAXCOL);
+	KASSERT(cfgPtr->numCol >= 0);
+	KASSERT(cfgPtr->numSpare < RF_MAXSPARE);
+	KASSERT(cfgPtr->numSpare >= 0);
+
 	raidPtr->numCol = cfgPtr->numCol;
 	raidPtr->numSpare = cfgPtr->numSpare;
 
Index: rf_netbsdkintf.c
===================================================================
RCS file: /cvsroot/src/sys/dev/raidframe/rf_netbsdkintf.c,v
retrieving revision 1.376.4.2
diff -p -u -r1.376.4.2 rf_netbsdkintf.c
--- rf_netbsdkintf.c	3 Aug 2022 10:55:45 -0000	1.376.4.2
+++ rf_netbsdkintf.c	10 Aug 2022 02:52:39 -0000
@@ -1179,7 +1179,7 @@ rf_getConfiguration(struct raid_softc *r
 int
 rf_construct(struct raid_softc *rs, RF_Config_t *k_cfg)
 {
-	int retcode;
+	int retcode, i;
 	RF_Raid_t *raidPtr = &rs->sc_r;
 
 	rs->sc_flags &= ~RAIDF_SHUTDOWN;
@@ -1190,6 +1190,29 @@ rf_construct(struct raid_softc *rs, RF_C
 	/* should do some kind of sanity check on the configuration.
 	 * Store the sum of all the bytes in the last byte? */
 
+	/* Force nul-termination on all strings. */
+#define ZERO_FINAL(s)	do { s[sizeof(s) - 1] = '\0'; } while (0)
+	for (i = 0; i < RF_MAXCOL; i++) {
+		ZERO_FINAL(k_cfg->devnames[0][i]);
+	}
+	for (i = 0; i < RF_MAXSPARE; i++) {
+		ZERO_FINAL(k_cfg->spare_names[i]);
+	}
+	for (i = 0; i < RF_MAXDBGV; i++) {
+		ZERO_FINAL(k_cfg->debugVars[i]);
+	}
+#undef ZERO_FINAL
+
+	/* Check some basic limits. */
+	if (k_cfg->numCol >= RF_MAXCOL || k_cfg->numCol < 0) {
+		retcode = EINVAL;
+		goto out;
+	}
+	if (k_cfg->numSpare >= RF_MAXSPARE || k_cfg->numSpare < 0) {
+		retcode = EINVAL;
+		goto out;
+	}
+
 	/* configure the system */
 
 	/*
@@ -1390,6 +1413,18 @@ rf_check_recon_status(RF_Raid_t *raidPtr
 	return 0;
 }
 
+/*
+ * Copy a RF_SingleComponent_t from 'data', ensuring nul-termination
+ * on the component_name[] array.
+ */
+static void
+rf_copy_single_component(RF_SingleComponent_t *component, void *data)
+{
+
+	memcpy(component, data, sizeof *component);
+	component->component_name[sizeof(component->component_name) - 1] = '\0';
+}
+
 static int
 raidioctl(dev_t dev, u_long cmd, void *data, int flag, struct lwp *l)
 {
@@ -1405,7 +1440,6 @@ raidioctl(dev_t dev, u_long cmd, void *d
 	int retcode = 0;
 	int column;
 	RF_ComponentLabel_t *clabel;
-	RF_SingleComponent_t *sparePtr,*componentPtr;
 	int d;
 
 	if ((rs = raidget(unit, false)) == NULL)
@@ -1494,21 +1528,18 @@ raidioctl(dev_t dev, u_long cmd, void *d
 		    rf_RewriteParityThread, raidPtr,"raid_parity");
 
 	case RAIDFRAME_ADD_HOT_SPARE:
-		sparePtr = (RF_SingleComponent_t *) data;
-		memcpy(&component, sparePtr, sizeof(RF_SingleComponent_t));
+		rf_copy_single_component(&component, data);
 		return rf_add_hot_spare(raidPtr, &component);
 
 	case RAIDFRAME_REMOVE_HOT_SPARE:
 		return retcode;
 
 	case RAIDFRAME_DELETE_COMPONENT:
-		componentPtr = (RF_SingleComponent_t *)data;
-		memcpy(&component, componentPtr, sizeof(RF_SingleComponent_t));
+		rf_copy_single_component(&component, data);
 		return rf_delete_component(raidPtr, &component);
 
 	case RAIDFRAME_INCORPORATE_HOT_SPARE:
-		componentPtr = (RF_SingleComponent_t *)data;
-		memcpy(&component, componentPtr, sizeof(RF_SingleComponent_t));
+		rf_copy_single_component(&component, data);
 		return rf_incorporate_hot_spare(raidPtr, &component);
 
 	case RAIDFRAME_REBUILD_IN_PLACE: