From patchwork Mon Aug 31 20:48:16 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Smart X-Patchwork-Id: 7101541 Return-Path: X-Original-To: patchwork-linux-scsi@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id D1BF89F402 for ; Mon, 31 Aug 2015 20:48:38 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 013A3206A3 for ; Mon, 31 Aug 2015 20:48:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2906D206A4 for ; Mon, 31 Aug 2015 20:48:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753244AbbHaUse (ORCPT ); Mon, 31 Aug 2015 16:48:34 -0400 Received: from mail-qk0-f176.google.com ([209.85.220.176]:35104 "EHLO mail-qk0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753231AbbHaUsd (ORCPT ); Mon, 31 Aug 2015 16:48:33 -0400 Received: by qkcj187 with SMTP id j187so16804631qkc.2 for ; Mon, 31 Aug 2015 13:48:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=avagotech.com; s=google; h=date:from:to:subject:message-id:user-agent:mime-version :content-type:content-transfer-encoding; bh=FOO7O80eNbrvSrGTODEFNj2F1BZYOvX2VnQpqSZvuyE=; b=KgHeWtRgZfeo0+1QAUs5VaIjXkIf6G2AjSJ4468mgTn9YnLiuywsqWD4tUkU+9/x4z VKQHctLNy1PKHENeTmSG6deFqcKr6M3KOrCpgTmu4EE2Ih0m72M+/NVZCZkQMK+93Tbm UnHJJ9UxM8JoEYdIw74JTnxAorsyKi2z+cvm8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:user-agent :mime-version:content-type:content-transfer-encoding; bh=FOO7O80eNbrvSrGTODEFNj2F1BZYOvX2VnQpqSZvuyE=; b=d/Cc/SqYwPjZHB76EMj4pPywOOGG0OXBulPyRdoIqrLtObWZqyePahL0r6txwWNvZX /zSubLIyO9943uR1yT/1LNPIBVBh+HvqT7AzT+ceh0MGolK/T3vH65iNoPNtHAN22bpq RnVCtt9d0F5OvAOhj84snfYyqDML7VYQKhkWx7GDVTPRo+SstT8rCLu3cyugIdzzykbI V/lvgrvofiJ+Ad1neURnqOVOdnEPS73RQwtgqlserClBLqyjGm4OI3R+niZsvHPHkJLW CxW51Ikp/IujS+E7wEIEsONqs367TquYq96hFRyZ70EDhY9OLhfbbLw6DpRpmSM21Wsc utlQ== X-Gm-Message-State: ALoCoQnWzu6gcvxxQTR4V1VwZRFxiwjDjIM153zH3KW6kN+D7heCKY9uWW/dkgsjUKvDmXmBejhA X-Received: by 10.55.221.79 with SMTP id n76mr12124583qki.62.1441054112257; Mon, 31 Aug 2015 13:48:32 -0700 (PDT) Received: from myfc17 (c-75-67-235-135.hsd1.nh.comcast.net. [75.67.235.135]) by smtp.gmail.com with ESMTPSA id b82sm9430307qhc.46.2015.08.31.13.48.31 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 31 Aug 2015 13:48:31 -0700 (PDT) Date: Mon, 31 Aug 2015 16:48:16 -0400 From: james.smart@avagotech.com (James Smart) To: linux-scsi@vger.kernel.org Subject: [PATCH 09/14] fix: lpfc_send_rscn_event sends bigger buffer size Message-ID: <55e4bd90.zlcxDDRSu3edLd6S%james.smart@avagotech.com> User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Ales Novak lpfc_send_rscn_event() allocates data for sizeof(struct lpfc_rscn_event_header) + payload_len, but claims that the data has size of sizeof(struct lpfc_els_event_header) + payload_len. That leads to buffer overruns. Signed-off-by: Ales Novak Signed-off-by: James Smart Reviewed-by: Hannes Reinecke Reviewed-by: Sebastian Herbszt --- drivers/scsi/lpfc/lpfc_els.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c index c859aa3..f9c957d 100644 --- a/drivers/scsi/lpfc/lpfc_els.c +++ b/drivers/scsi/lpfc/lpfc_els.c @@ -5401,7 +5401,7 @@ lpfc_send_rscn_event(struct lpfc_vport *vport, fc_host_post_vendor_event(shost, fc_get_event_number(), - sizeof(struct lpfc_els_event_header) + payload_len, + sizeof(struct lpfc_rscn_event_header) + payload_len, (char *)rscn_event_data, LPFC_NL_VENDOR_ID);