Commit d876fdbb authored by Wang Yufen's avatar Wang Yufen Committed by Zheng Zengkai
Browse files

tcp_comp: Fix ZSTD_decompressStream failed 

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I48H9Z?from=project-issue


CVE: NA

-------------------------------------------------

This patch fixes possible ZSTD_decompressStream failures. When decompressing
skb->data, should skip the previous rxm->offset data.

Signed-off-by: default avatarWang Yufen <wangyufen@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: default avatarLu Wei <luwei32@huawei.com>
Reviewed-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent ab0323bb

net/ipv4/tcp_comp.c

+5 −6
Original line number Diff line number Diff line
@@ -569,8 +569,8 @@ static void *tcp_comp_get_rx_stream(struct sock *sk) 
static int tcp_comp_decompress(struct sock *sk, struct sk_buff *skb)

{

	struct tcp_comp_context *ctx = comp_get_ctx(sk);

	struct strp_msg *rxm = strp_msg(skb);

	const int plen = skb->len;

	struct strp_msg *rxm;

	ZSTD_outBuffer outbuf;

	ZSTD_inBuffer inbuf;

	int len;
@@ -591,11 +591,11 @@ static int tcp_comp_decompress(struct sock *sk, struct sk_buff *skb) 
		       ctx->rx.data_offset);



	memcpy((char *)ctx->rx.compressed_data + ctx->rx.data_offset,

	       skb->data, plen);

	       (char *)skb->data + rxm->offset, plen - rxm->offset);



	inbuf.src = ctx->rx.compressed_data;

	inbuf.pos = 0;

	inbuf.size = plen + ctx->rx.data_offset;

	inbuf.size = plen - rxm->offset + ctx->rx.data_offset;

	ctx->rx.data_offset = 0;



	outbuf.dst = ctx->rx.plaintext_data;
@@ -606,7 +606,6 @@ static int tcp_comp_decompress(struct sock *sk, struct sk_buff *skb) 
		size_t ret;



		to = outbuf.dst;



		ret = ZSTD_decompressStream(ctx->rx.dstream, &outbuf, &inbuf);

		if (ZSTD_isError(ret))

			return -EIO;
@@ -616,8 +615,8 @@ static int tcp_comp_decompress(struct sock *sk, struct sk_buff *skb) 
			len = skb_tailroom(skb);



		__skb_put(skb, len);

		rxm = strp_msg(skb);

		rxm->full_len += len;

		rxm->full_len += (len + rxm->offset);

		rxm->offset = 0;



		len += plen;

		skb_copy_to_linear_data(skb, to, len);