From d876fdbb275e8fe0849b9fb4739969c8d27a2002 Mon Sep 17 00:00:00 2001
From: Wang Yufen <wangyufen@huawei.com>
Date: Sat, 22 Jan 2022 17:58:16 +0800
Subject: [PATCH] tcp_comp: Fix ZSTD_decompressStream failed

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I48H9Z?from=project-issue
CVE: NA

-------------------------------------------------

This patch fixes possible ZSTD_decompressStream failures. When decompressing
skb->data, should skip the previous rxm->offset data.

Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Lu Wei <luwei32@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
---
 net/ipv4/tcp_comp.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/net/ipv4/tcp_comp.c b/net/ipv4/tcp_comp.c
index 7d40c2f3981b..1a907d9a51e0 100644
--- a/net/ipv4/tcp_comp.c
+++ b/net/ipv4/tcp_comp.c
@@ -569,8 +569,8 @@ static void *tcp_comp_get_rx_stream(struct sock *sk)
 static int tcp_comp_decompress(struct sock *sk, struct sk_buff *skb)
 {
 	struct tcp_comp_context *ctx = comp_get_ctx(sk);
+	struct strp_msg *rxm = strp_msg(skb);
 	const int plen = skb->len;
-	struct strp_msg *rxm;
 	ZSTD_outBuffer outbuf;
 	ZSTD_inBuffer inbuf;
 	int len;
@@ -591,11 +591,11 @@ static int tcp_comp_decompress(struct sock *sk, struct sk_buff *skb)
 		       ctx->rx.data_offset);
 
 	memcpy((char *)ctx->rx.compressed_data + ctx->rx.data_offset,
-	       skb->data, plen);
+	       (char *)skb->data + rxm->offset, plen - rxm->offset);
 
 	inbuf.src = ctx->rx.compressed_data;
 	inbuf.pos = 0;
-	inbuf.size = plen + ctx->rx.data_offset;
+	inbuf.size = plen - rxm->offset + ctx->rx.data_offset;
 	ctx->rx.data_offset = 0;
 
 	outbuf.dst = ctx->rx.plaintext_data;
@@ -606,7 +606,6 @@ static int tcp_comp_decompress(struct sock *sk, struct sk_buff *skb)
 		size_t ret;
 
 		to = outbuf.dst;
-
 		ret = ZSTD_decompressStream(ctx->rx.dstream, &outbuf, &inbuf);
 		if (ZSTD_isError(ret))
 			return -EIO;
@@ -616,8 +615,8 @@ static int tcp_comp_decompress(struct sock *sk, struct sk_buff *skb)
 			len = skb_tailroom(skb);
 
 		__skb_put(skb, len);
-		rxm = strp_msg(skb);
-		rxm->full_len += len;
+		rxm->full_len += (len + rxm->offset);
+		rxm->offset = 0;
 
 		len += plen;
 		skb_copy_to_linear_data(skb, to, len);
-- 
GitLab