| Message ID | 1440070545-15037-1-git-send-email-alnovak@suse.cz (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 08/20/2015 01:35 PM, Ales Novak wrote: > lpfc_send_rscn_event() allocates data for sizeof(struct > lpfc_rscn_event_header) + payload_len, but claims that the data has size > of sizeof(struct lpfc_els_event_header) + payload_len. That leads to > buffer overruns. > > Signed-off-by: Ales Novak <alnovak@suse.cz> > --- > drivers/scsi/lpfc/lpfc_els.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c > index 36bf58b..136928e 100644 > --- a/drivers/scsi/lpfc/lpfc_els.c > +++ b/drivers/scsi/lpfc/lpfc_els.c > @@ -5444,7 +5444,7 @@ lpfc_send_rscn_event(struct lpfc_vport *vport, > > fc_host_post_vendor_event(shost, > fc_get_event_number(), > - sizeof(struct lpfc_els_event_header) + payload_len, > + sizeof(struct lpfc_rscn_event_header) + payload_len, > (char *)rscn_event_data, > LPFC_NL_VENDOR_ID); > > Reviewed-by: Hannes Reinecke <hare@suse.de> Cheers, Hannes
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c index 36bf58b..136928e 100644 --- a/drivers/scsi/lpfc/lpfc_els.c +++ b/drivers/scsi/lpfc/lpfc_els.c @@ -5444,7 +5444,7 @@ lpfc_send_rscn_event(struct lpfc_vport *vport, fc_host_post_vendor_event(shost, fc_get_event_number(), - sizeof(struct lpfc_els_event_header) + payload_len, + sizeof(struct lpfc_rscn_event_header) + payload_len, (char *)rscn_event_data, LPFC_NL_VENDOR_ID);
lpfc_send_rscn_event() allocates data for sizeof(struct lpfc_rscn_event_header) + payload_len, but claims that the data has size of sizeof(struct lpfc_els_event_header) + payload_len. That leads to buffer overruns. Signed-off-by: Ales Novak <alnovak@suse.cz> --- drivers/scsi/lpfc/lpfc_els.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)