From: rkennedy <dick.kennedy@avagotech.com>
Date: Tue, 13 Oct 2015 20:15:21 +0000 (-0700)
Subject: fix: lpfc_send_rscn_event sends bigger buffer size
X-Git-Tag: v4.1.12-92~249^2~3^2~5
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=f54dff58d4d163dbf0ee43e8ce51d24b12fe2772;p=users%2Fjedix%2Flinux-maple.git

fix: lpfc_send_rscn_event sends bigger buffer size

Submitted by james.smart () james.smart.()@emulex.comSubmitted by Ales Novak Ales.Novak@emulex.com

From: Ales Novak alnovak@suse.cz

lpfc_send_rscn_event() allocates data for sizeof(struct
lpfc_rscn_event_header) + payload_len, but claims that the data has size
of sizeof(struct lpfc_els_event_header) + payload_len. That leads to
buffer overruns.

Signed-off-by: Ales Novak alnovak@suse.cz
Signed-off-by: James Smart james.smart@avagotech.com
Reviewed-by: Hannes Reinecke hare@suse.de

http://marc.info/?l=linux-scsi&m=144105411603743&w=2

Orabug: 22029622
From dick.kennedy@avagotech.com lpfc-10.5.0.1-11.0.0.3-1.tar.gz
Acked-by: Chuck Anderson <chuck.anderson@oracle.com>
---

diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 0cbfe4e1f78f4..9d7395da05785 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -5409,7 +5409,7 @@ lpfc_send_rscn_event(struct lpfc_vport *vport,
 
 	fc_host_post_vendor_event(shost,
 		fc_get_event_number(),
-		sizeof(struct lpfc_els_event_header) + payload_len,
+		sizeof(struct lpfc_rscn_event_header) + payload_len,
 		(char *)rscn_event_data,
 		LPFC_NL_VENDOR_ID);