From: Ales Novak Date: Mon, 31 Aug 2015 20:48:16 +0000 (-0400) Subject: fix: lpfc_send_rscn_event sends bigger buffer size X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=6599eaaa45e0f40ddbbcf164cf3e3524faed9383;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git fix: lpfc_send_rscn_event sends bigger buffer size lpfc_send_rscn_event() allocates data for sizeof(struct lpfc_rscn_event_header) + payload_len, but claims that the data has size of sizeof(struct lpfc_els_event_header) + payload_len. That leads to buffer overruns. Signed-off-by: Ales Novak Signed-off-by: James Smart Reviewed-by: Hannes Reinecke Reviewed-by: Sebastian Herbszt Signed-off-by: James Bottomley --- diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c index c859aa3c0f9a..f9c957d64c02 100644 --- a/drivers/scsi/lpfc/lpfc_els.c +++ b/drivers/scsi/lpfc/lpfc_els.c @@ -5401,7 +5401,7 @@ lpfc_send_rscn_event(struct lpfc_vport *vport, fc_host_post_vendor_event(shost, fc_get_event_number(), - sizeof(struct lpfc_els_event_header) + payload_len, + sizeof(struct lpfc_rscn_event_header) + payload_len, (char *)rscn_event_data, LPFC_NL_VENDOR_ID);