From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by dpdk.org (Postfix) with ESMTP id B77CE968 for ; Tue, 12 Jul 2016 14:49:37 +0200 (CEST) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga102.jf.intel.com with ESMTP; 12 Jul 2016 05:49:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.28,351,1464678000"; d="scan'208";a="1015318254" Received: from sie-lab-212-209.ir.intel.com (HELO silpixa00377983.ir.intel.com) ([10.237.212.209]) by orsmga002.jf.intel.com with ESMTP; 12 Jul 2016 05:49:37 -0700 From: Sergio Gonzalez Monroy To: dev@dpdk.org Date: Tue, 12 Jul 2016 13:49:35 +0100 Message-Id: <1468327775-67706-1-git-send-email-sergio.gonzalez.monroy@intel.com> X-Mailer: git-send-email 2.4.11 Subject: [dpdk-dev] [PATCH] examples/ipsec-secgw: fix inbound segfault X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 12:49:38 -0000 When sending Inbound non IPSec traffic that matches an Inbound Security Policy set to Protect, the code will check that the SPI of the packet and the associated Security Association match. That check should only be done for IPSec packets and results in SEGFAULT when done on non IPSec packets. Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6") Signed-off-by: Sergio Gonzalez Monroy --- examples/ipsec-secgw/ipsec-secgw.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index f78743d..1ca144b 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -384,7 +384,8 @@ send_single_packet(struct rte_mbuf *m, uint8_t port) } static inline void -inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip) +inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, + uint16_t lim) { struct rte_mbuf *m; uint32_t i, j, res, sa_idx; @@ -399,15 +400,15 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip) for (i = 0; i < ip->num; i++) { m = ip->pkts[i]; res = ip->res[i]; - if (res & DISCARD) { - rte_pktmbuf_free(m); - continue; - } if (res & BYPASS) { ip->pkts[j++] = m; continue; } - /* Check return SA SPI matches pkt SPI */ + if (res & DISCARD || i < lim) { + rte_pktmbuf_free(m); + continue; + } + /* Only check SPI match for processed IPSec packets */ sa_idx = ip->res[i] & PROTECT_MASK; if (sa_idx == 0 || !inbound_sa_check(sa, m, sa_idx)) { rte_pktmbuf_free(m); @@ -423,11 +424,14 @@ process_pkts_inbound(struct ipsec_ctx *ipsec_ctx, struct ipsec_traffic *traffic) { struct rte_mbuf *m; - uint16_t idx, nb_pkts_in, i; + uint16_t idx, nb_pkts_in, i, n_ip4, n_ip6; nb_pkts_in = ipsec_inbound(ipsec_ctx, traffic->ipsec.pkts, traffic->ipsec.num, MAX_PKT_BURST); + n_ip4 = traffic->ip4.num; + n_ip6 = traffic->ip6.num; + /* SP/ACL Inbound check ipsec and ip4 */ for (i = 0; i < nb_pkts_in; i++) { m = traffic->ipsec.pkts[i]; @@ -447,9 +451,11 @@ process_pkts_inbound(struct ipsec_ctx *ipsec_ctx, rte_pktmbuf_free(m); } - inbound_sp_sa(ipsec_ctx->sp4_ctx, ipsec_ctx->sa_ctx, &traffic->ip4); + inbound_sp_sa(ipsec_ctx->sp4_ctx, ipsec_ctx->sa_ctx, &traffic->ip4, + n_ip4); - inbound_sp_sa(ipsec_ctx->sp6_ctx, ipsec_ctx->sa_ctx, &traffic->ip6); + inbound_sp_sa(ipsec_ctx->sp6_ctx, ipsec_ctx->sa_ctx, &traffic->ip6, + n_ip6); } static inline void -- 2.4.11