In the vscsi_callback() handle ISCSI_SCSI_STAT_CHCK_COND more carefully.
Especially the embedded sense data needs to be extracted respecting the
real buffer length. Make sure at least 2 bytes are availabe for the lenght
and also check that the resulting len is not bigger then the buffer
itself.

Also in vscsi_status() check if len > 0 instead of looking at buf. This is
for the case where buf is set but len is 0. 
-- 
:wq Claudio

Index: vscsi.c
===================================================================
RCS file: /cvs/src/usr.sbin/iscsid/vscsi.c,v
diff -u -p -r1.18 vscsi.c
--- vscsi.c	28 Dec 2022 21:30:16 -0000	1.18
+++ vscsi.c	20 May 2026 18:22:01 -0000
@@ -177,7 +177,7 @@ vscsi_status(int tag, int status, void *
 	bzero(&t2i, sizeof(t2i));
 	t2i.tag = tag;
 	t2i.status = status;
-	if (buf) {
+	if (len > 0) {
 		if (len > sizeof(t2i.sense))
 			len = sizeof(t2i.sense);
 		memcpy(&t2i.sense, buf, len);
@@ -241,9 +241,12 @@ vscsi_callback(struct connection *c, voi
 			status = VSCSI_STAT_SENSE;
 			/* stupid encoding of sense data in the data segment */
 			buf = pdu_getbuf(p, &n, PDU_DATA);
-			if (buf) {
+			if (buf && n >= 2) {
 				size = buf[0] << 8 | buf[1];
 				buf += 2;
+				n -= 2;
+				if (size > n)
+					size = n;
 			}
 			break;
 		default: