projects / GitHub / exynos8895 / android_kernel_samsung_universal8895.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: db6f1c2)
fix: lpfc_send_rscn_event sends bigger buffer size
authorAles Novak <alnovak@suse.cz>
Mon, 31 Aug 2015 20:48:16 +0000 (16:48 -0400)
committerJames Bottomley <JBottomley@Odin.com>
Tue, 27 Oct 2015 01:08:51 +0000 (10:08 +0900)
lpfc_send_rscn_event() allocates data for sizeof(struct
lpfc_rscn_event_header) + payload_len, but claims that the data has size
of sizeof(struct lpfc_els_event_header) + payload_len. That leads to
buffer overruns.

Signed-off-by: Ales Novak <alnovak@suse.cz>
Signed-off-by: James Smart <james.smart@avagotech.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Sebastian Herbszt <herbszt@gmx.de>
Signed-off-by: James Bottomley <JBottomley@Odin.com>
drivers/scsi/lpfc/lpfc_els.c patch | blob | blame | history

diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index c859aa3c0f9a9fba0b8bfcabfb2a3fa17e2f8003..f9c957d64c022003e976a7e791b0cfc7f30acde0 100644 (file)
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -5401,7 +5401,7 @@ lpfc_send_rscn_event(struct lpfc_vport *vport,
 
        fc_host_post_vendor_event(shost,
                fc_get_event_number(),
-               sizeof(struct lpfc_els_event_header) + payload_len,
+               sizeof(struct lpfc_rscn_event_header) + payload_len,
                (char *)rscn_event_data,
                LPFC_NL_VENDOR_ID);