fix: lpfc_send_rscn_event sends bigger buffer size

lpfc_send_rscn_event() allocates data for sizeof(struct
lpfc_rscn_event_header) + payload_len, but claims that the data has size
of sizeof(struct lpfc_els_event_header) + payload_len. That leads to
buffer overruns.

Signed-off-by: Ales Novak <[email protected]>
Signed-off-by: James Smart <[email protected]>
Reviewed-by: Hannes Reinecke <[email protected]>
Reviewed-by: Sebastian Herbszt <[email protected]>
Signed-off-by: James Bottomley <[email protected]>

diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index c859aa3c0f9a9fba0b8bfcabfb2a3fa17e2f8003..f9c957d64c022003e976a7e791b0cfc7f30acde0 100644 (file)
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -5401,7 +5401,7 @@ lpfc_send_rscn_event(struct lpfc_vport *vport,
 
        fc_host_post_vendor_event(shost,
                fc_get_event_number(),
-               sizeof(struct lpfc_els_event_header) + payload_len,
+               sizeof(struct lpfc_rscn_event_header) + payload_len,
                (char *)rscn_event_data,
                LPFC_NL_VENDOR_ID);