From f54dff58d4d163dbf0ee43e8ce51d24b12fe2772 Mon Sep 17 00:00:00 2001
From: rkennedy <dick.kennedy@avagotech.com>
Date: Tue, 13 Oct 2015 13:15:21 -0700
Subject: [PATCH] fix: lpfc_send_rscn_event sends bigger buffer size

Submitted by james.smart () james.smart.()@emulex.comSubmitted by Ales Novak Ales.Novak@emulex.com

From: Ales Novak alnovak@suse.cz

lpfc_send_rscn_event() allocates data for sizeof(struct
lpfc_rscn_event_header) + payload_len, but claims that the data has size
of sizeof(struct lpfc_els_event_header) + payload_len. That leads to
buffer overruns.

Signed-off-by: Ales Novak alnovak@suse.cz
Signed-off-by: James Smart james.smart@avagotech.com
Reviewed-by: Hannes Reinecke hare@suse.de

http://marc.info/?l=linux-scsi&m=144105411603743&w=2

Orabug: 22029622
From dick.kennedy@avagotech.com lpfc-10.5.0.1-11.0.0.3-1.tar.gz
Acked-by: Chuck Anderson <chuck.anderson@oracle.com>
---
 drivers/scsi/lpfc/lpfc_els.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 0cbfe4e1f78f..9d7395da0578 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -5409,7 +5409,7 @@ lpfc_send_rscn_event(struct lpfc_vport *vport,
 
 	fc_host_post_vendor_event(shost,
 		fc_get_event_number(),
-		sizeof(struct lpfc_els_event_header) + payload_len,
+		sizeof(struct lpfc_rscn_event_header) + payload_len,
 		(char *)rscn_event_data,
 		LPFC_NL_VENDOR_ID);
 
-- 
2.50.1