From: Wang Yufen <wangyufen@huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I47SV5?from=project-issue CVE: NA ------------------------------------------------- In comp_read_size rxm->offset should be subtracted from skb->len. And use strp_done to release resoureces when destroy sock. Signed-off-by: Wang Yufen <wangyufen@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: Lu Wei <luwei32@huawei.com> Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com> Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> Signed-off-by: Lu Wei <luwei32@huawei.com> --- net/ipv4/tcp_comp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/ipv4/tcp_comp.c b/net/ipv4/tcp_comp.c index 739e59036e25..bbb635284af4 100644 --- a/net/ipv4/tcp_comp.c +++ b/net/ipv4/tcp_comp.c @@ -763,7 +763,7 @@ static int comp_read_size(struct strparser *strp, struct sk_buff *skb) if (rxm->offset > skb->len) return 0; - return skb->len; + return skb->len - rxm->offset; } void comp_setup_strp(struct sock *sk, struct tcp_comp_context *ctx) @@ -870,6 +870,7 @@ static void tcp_comp_context_free(struct rcu_head *head) tcp_comp_context_tx_free(ctx); tcp_comp_context_rx_free(ctx); + strp_done(&ctx->rx.strp); kfree(ctx); } @@ -885,6 +886,7 @@ void tcp_cleanup_compression(struct sock *sk) kfree_skb(ctx->rx.pkt); ctx->rx.pkt = NULL; } + strp_stop(&ctx->rx.strp); rcu_assign_pointer(icsk->icsk_ulp_data, NULL); call_rcu(&ctx->rcu, tcp_comp_context_free); -- 2.31.1