From ef660083c8ed7c1a78ca856a567b9bc2b4d227d2 Mon Sep 17 00:00:00 2001
From: zhanghongyu <zhanghongyu@xiaomi.com>
Date: Fri, 15 Jul 2022 17:10:37 +0800
Subject: [PATCH] tcp: check option length before d_len update

Signed-off-by: zhanghongyu <zhanghongyu@xiaomi.com>
---
 net/tcp/tcp_input.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/net/tcp/tcp_input.c b/net/tcp/tcp_input.c
index b48e40b250..f51c17a4cf 100644
--- a/net/tcp/tcp_input.c
+++ b/net/tcp/tcp_input.c
@@ -622,6 +622,16 @@ found:
 
   len = (tcp->tcpoffset >> 4) << 2;
 
+  /* d_appdata should remove the tcp specific option field. */
+
+  if ((tcp->tcpoffset & 0xf0) > 0x50)
+    {
+      if (dev->d_len >= len)
+        {
+          dev->d_appdata += len - TCP_HDRLEN;
+        }
+    }
+
   /* d_len will contain the length of the actual TCP data. This is
    * calculated by subtracting the length of the TCP header (in
    * len) and the length of the IP header.
@@ -629,17 +639,6 @@ found:
 
   dev->d_len -= (len + iplen);
 
-  /* d_appdata should remove the tcp specific option field. */
-
-  if ((tcp->tcpoffset & 0xf0) > 0x50)
-    {
-      len = ((tcp->tcpoffset >> 4) - 5) << 2;
-      if (dev->d_len >= len)
-        {
-          dev->d_appdata += len;
-        }
-    }
-
   /* Check if the sequence number of the incoming packet is what we are
    * expecting next.  If not, we send out an ACK with the correct numbers
    * in, unless we are in the SYN_RCVD state and receive a SYN, in which