[PATCH] scsi: lpfc: bound RPL ACC payload size to the response structure

[Michael Bommarito]

lpfc_els_rcv_rpl() handles an unsolicited RPL (Read Port List) ELS
request from a fabric peer. For a request with rpl->index != 0 (or
index 0 with a small maxsize) it computes the accept payload size as

	cmdsize = sizeof(uint32_t) + maxsize * sizeof(uint32_t);

into a uint16_t, where maxsize comes straight from the peer's request
with no upper bound. lpfc_els_rsp_rpl_acc() then builds the response
with

	memcpy(pcmd, &rpl_rsp, cmdsize - sizeof(uint32_t));

The RPL accept always carries exactly one RPL_RSP structure, so a
peer-chosen maxsize makes cmdsize - sizeof(uint32_t) exceed
sizeof(RPL_RSP): the copy reads past the on-stack RPL_RSP, placing
adjacent kernel stack into the response sent back to the peer, and for
a large maxsize overruns the command buffer.

Bound cmdsize the same way the index == 0 branch already does, since
the accept payload is a single RPL_RSP regardless of the requested
maxsize.

Fixes: 7bb3b137abf2 ("[SCSI] lpfc 8.1.2: Handling of ELS commands RRQ, RPS, RPL and LIRR correctly")
Cc: stable@xxxxxxxxxxxxxxx
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
---
 drivers/scsi/lpfc/lpfc_els.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 4e3fe89283e41..555b2e4d78fb9 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -9250,7 +9250,11 @@ lpfc_els_rcv_rpl(struct lpfc_vport *vport, struct lpfc_iocbq *cmdiocb,
 	     ((maxsize * sizeof(uint32_t)) >= sizeof(RPL_RSP)))) {
 		cmdsize = sizeof(uint32_t) + sizeof(RPL_RSP);
 	} else {
-		cmdsize = sizeof(uint32_t) + maxsize * sizeof(uint32_t);
+		u64 sz = sizeof(uint32_t) + (u64)maxsize * sizeof(uint32_t);
+
+		if (sz > sizeof(uint32_t) + sizeof(RPL_RSP))
+			sz = sizeof(uint32_t) + sizeof(RPL_RSP);
+		cmdsize = sz;
 	}
 	lpfc_els_rsp_rpl_acc(vport, cmdsize, cmdiocb, ndlp);
 
-- 
2.53.0