Commit 9fa5fdf2 authored by Dimitris Michailidis's avatar Dimitris Michailidis Committed by David S. Miller
Browse files

tcp: Fix length tcp_splice_data_recv passes to skb_splice_bits. 



tcp_splice_data_recv has two lengths to consider: the len parameter it
gets from tcp_read_sock, which specifies the amount of data in the skb,
and rd_desc->count, which is the amount of data the splice caller still
wants.  Currently it passes just the latter to skb_splice_bits, which then
splices min(rd_desc->count, skb->len - offset) bytes.

Most of the time this is fine, except when the skb contains urgent data.
In that case len goes only up to the urgent byte and is less than
skb->len - offset.  By ignoring len tcp_splice_data_recv may a) splice
data tcp_read_sock told it not to, b) return to tcp_read_sock a value > len.

Now, tcp_read_sock doesn't handle used > len and leaves the socket in a
bad state (both sk_receive_queue and copied_seq are bad at that point)
resulting in duplicated data and corruption.

Fix by passing min(rd_desc->count, len) to skb_splice_bits.

Signed-off-by: default avatarDimitris Michailidis <dm@chelsio.com>
Acked-by: default avatarEric Dumazet <dada1@cosmosbay.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a7a41acf

net/ipv4/tcp.c

+2 −1
Original line number Diff line number Diff line
@@ -524,7 +524,8 @@ static int tcp_splice_data_recv(read_descriptor_t *rd_desc, struct sk_buff *skb, 
	struct tcp_splice_state *tss = rd_desc->arg.data;

	int ret;



	ret = skb_splice_bits(skb, offset, tss->pipe, rd_desc->count, tss->flags);

	ret = skb_splice_bits(skb, offset, tss->pipe, min(rd_desc->count, len),

			      tss->flags);

	if (ret > 0)

		rd_desc->count -= ret;

	return ret;

CRA Git | Maintained and supported by SUSTech CRA and CCSE