From 4f4abb4d807a3416fa9d9a2ec9b770d3e9e9e6ef Mon Sep 17 00:00:00 2001
From: Wang Yufen <wangyufen@huawei.com>
Date: Mon, 30 Aug 2021 16:08:18 +0800
Subject: [PATCH] tcp_comp: Fix comp_read_size return value

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I47SV5?from=project-issue
CVE: NA

-------------------------------------------------

In comp_read_size rxm->offset should be subtracted from skb->len. And use
strp_done to release resoureces when destroy sock.

Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 net/ipv4/tcp_comp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/tcp_comp.c b/net/ipv4/tcp_comp.c
index f6ebe52f3f7f..bd5274091225 100644
--- a/net/ipv4/tcp_comp.c
+++ b/net/ipv4/tcp_comp.c
@@ -789,7 +789,7 @@ static int comp_read_size(struct strparser *strp, struct sk_buff *skb)
 	if (rxm->offset > skb->len)
 		return 0;
 
-	return skb->len;
+	return skb->len - rxm->offset;
 }
 
 void comp_setup_strp(struct sock *sk, struct tcp_comp_context *ctx)
@@ -903,6 +903,7 @@ static void tcp_comp_context_free(struct rcu_head *head)
 
 	tcp_comp_context_tx_free(ctx);
 	tcp_comp_context_rx_free(ctx);
+	strp_done(&ctx->rx.strp);
 	kfree(ctx);
 }
 
@@ -923,6 +924,7 @@ void tcp_cleanup_compression(struct sock *sk)
 		kfree_skb(ctx->rx.pkt);
 		ctx->rx.pkt = NULL;
 	}
+	strp_stop(&ctx->rx.strp);
 
 	rcu_assign_pointer(icsk->icsk_ulp_data, NULL);
 	call_rcu(&ctx->rcu, tcp_comp_context_free);
-- 
GitLab