summaryrefslogtreecommitdiff
path: root/examples
diff options
context:
space:
mode:
authorSergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>2016-07-12 13:49:35 +0100
committerThomas Monjalon <thomas.monjalon@6wind.com>2016-07-16 00:11:51 +0200
commit0a08ab548d1afa15080cdd93edbcd6776b36f4a2 (patch)
treef530fe55208e9c5bac999b57b5589df79abaeffd /examples
parent6dad6e692bd74ea8ade42dd3c8a27264027c659c (diff)
downloaddpdk-0a08ab548d1afa15080cdd93edbcd6776b36f4a2.zip
dpdk-0a08ab548d1afa15080cdd93edbcd6776b36f4a2.tar.gz
dpdk-0a08ab548d1afa15080cdd93edbcd6776b36f4a2.tar.xz
examples/ipsec-secgw: fix inbound crash
When sending Inbound non IPSec traffic that matches an Inbound Security Policy set to Protect, the code will check that the SPI of the packet and the associated Security Association match. That check should only be done for IPSec packets and results in SEGFAULT when done on non IPSec packets. Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6") Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Diffstat (limited to 'examples')
-rw-r--r--examples/ipsec-secgw/ipsec-secgw.c24
1 files changed, 15 insertions, 9 deletions
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index f78743d..1ca144b 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -384,7 +384,8 @@ send_single_packet(struct rte_mbuf *m, uint8_t port)
}
static inline void
-inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip)
+inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip,
+ uint16_t lim)
{
struct rte_mbuf *m;
uint32_t i, j, res, sa_idx;
@@ -399,15 +400,15 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip)
for (i = 0; i < ip->num; i++) {
m = ip->pkts[i];
res = ip->res[i];
- if (res & DISCARD) {
- rte_pktmbuf_free(m);
- continue;
- }
if (res & BYPASS) {
ip->pkts[j++] = m;
continue;
}
- /* Check return SA SPI matches pkt SPI */
+ if (res & DISCARD || i < lim) {
+ rte_pktmbuf_free(m);
+ continue;
+ }
+ /* Only check SPI match for processed IPSec packets */
sa_idx = ip->res[i] & PROTECT_MASK;
if (sa_idx == 0 || !inbound_sa_check(sa, m, sa_idx)) {
rte_pktmbuf_free(m);
@@ -423,11 +424,14 @@ process_pkts_inbound(struct ipsec_ctx *ipsec_ctx,
struct ipsec_traffic *traffic)
{
struct rte_mbuf *m;
- uint16_t idx, nb_pkts_in, i;
+ uint16_t idx, nb_pkts_in, i, n_ip4, n_ip6;
nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec.pkts,
traffic->ipsec.num, MAX_PKT_BURST);
+ n_ip4 = traffic->ip4.num;
+ n_ip6 = traffic->ip6.num;
+
/* SP/ACL Inbound check ipsec and ip4 */
for (i = 0; i < nb_pkts_in; i++) {
m = traffic->ipsec.pkts[i];
@@ -447,9 +451,11 @@ process_pkts_inbound(struct ipsec_ctx *ipsec_ctx,
rte_pktmbuf_free(m);
}
- inbound_sp_sa(ipsec_ctx->sp4_ctx, ipsec_ctx->sa_ctx, &traffic->ip4);
+ inbound_sp_sa(ipsec_ctx->sp4_ctx, ipsec_ctx->sa_ctx, &traffic->ip4,
+ n_ip4);
- inbound_sp_sa(ipsec_ctx->sp6_ctx, ipsec_ctx->sa_ctx, &traffic->ip6);
+ inbound_sp_sa(ipsec_ctx->sp6_ctx, ipsec_ctx->sa_ctx, &traffic->ip6,
+ n_ip6);
}
static inline void