From: rkennedy Date: Tue, 13 Oct 2015 20:15:21 +0000 (-0700) Subject: fix: lpfc_send_rscn_event sends bigger buffer size X-Git-Tag: v4.1.12-92~249^2~3^2~5 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=f54dff58d4d163dbf0ee43e8ce51d24b12fe2772;p=users%2Fjedix%2Flinux-maple.git fix: lpfc_send_rscn_event sends bigger buffer size Submitted by james.smart () james.smart.()@emulex.comSubmitted by Ales Novak Ales.Novak@emulex.com From: Ales Novak alnovak@suse.cz lpfc_send_rscn_event() allocates data for sizeof(struct lpfc_rscn_event_header) + payload_len, but claims that the data has size of sizeof(struct lpfc_els_event_header) + payload_len. That leads to buffer overruns. Signed-off-by: Ales Novak alnovak@suse.cz Signed-off-by: James Smart james.smart@avagotech.com Reviewed-by: Hannes Reinecke hare@suse.de http://marc.info/?l=linux-scsi&m=144105411603743&w=2 Orabug: 22029622 From dick.kennedy@avagotech.com lpfc-10.5.0.1-11.0.0.3-1.tar.gz Acked-by: Chuck Anderson --- diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c index 0cbfe4e1f78f4..9d7395da05785 100644 --- a/drivers/scsi/lpfc/lpfc_els.c +++ b/drivers/scsi/lpfc/lpfc_els.c @@ -5409,7 +5409,7 @@ lpfc_send_rscn_event(struct lpfc_vport *vport, fc_host_post_vendor_event(shost, fc_get_event_number(), - sizeof(struct lpfc_els_event_header) + payload_len, + sizeof(struct lpfc_rscn_event_header) + payload_len, (char *)rscn_event_data, LPFC_NL_VENDOR_ID);