When sending an encrypted packet which size after encapsulation exceeds MTU, ipsec-secgw application tries to fragment it. If --reassemble option has not been set it results with a segmantation fault, because fragmentation buckets have not been initialized. Fix crashing by adding extra check: if --ressemble option has not been set and packet exceeds MTU after encapsulation - drop it. Fixes: b01d1cd213 ("examples/ipsec-secgw: support fragmentation and reassembly") Cc: stable@dpdk.org Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> --- examples/ipsec-secgw/ipsec-secgw.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index 0d1fd6af6..91c602436 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -548,8 +548,10 @@ send_single_packet(struct rte_mbuf *m, uint16_t port, uint8_t proto) len++; /* need to fragment the packet */ - } else + } else if (frag_tbl_sz > 0) len = send_fragment_packet(qconf, m, port, proto); + else + rte_pktmbuf_free(m); /* enough pkts to be sent */ if (unlikely(len == MAX_PKT_BURST)) { -- 2.17.1
> -----Original Message----- > From: Smoczynski, MarcinX > Sent: Tuesday, September 24, 2019 11:55 AM > To: Ananyev, Konstantin <konstantin.ananyev@intel.com>; akhil.goyal@nxp.com > Cc: dev@dpdk.org; Smoczynski, MarcinX <marcinx.smoczynski@intel.com>; stable@dpdk.org > Subject: [PATCH] examples/ipsec-secgw: fix over MTU packet crash > > When sending an encrypted packet which size after encapsulation exceeds > MTU, ipsec-secgw application tries to fragment it. If --reassemble > option has not been set it results with a segmantation fault, because > fragmentation buckets have not been initialized. > > Fix crashing by adding extra check: if --ressemble option has not been > set and packet exceeds MTU after encapsulation - drop it. > > Fixes: b01d1cd213 ("examples/ipsec-secgw: support fragmentation and reassembly") > Cc: stable@dpdk.org > > Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> > --- > examples/ipsec-secgw/ipsec-secgw.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c > index 0d1fd6af6..91c602436 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -548,8 +548,10 @@ send_single_packet(struct rte_mbuf *m, uint16_t port, uint8_t proto) > len++; > > /* need to fragment the packet */ > - } else > + } else if (frag_tbl_sz > 0) > len = send_fragment_packet(qconf, m, port, proto); > + else > + rte_pktmbuf_free(m); > > /* enough pkts to be sent */ > if (unlikely(len == MAX_PKT_BURST)) { > -- Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > 2.17.1
> >
> > When sending an encrypted packet which size after encapsulation exceeds
> > MTU, ipsec-secgw application tries to fragment it. If --reassemble
> > option has not been set it results with a segmantation fault, because
> > fragmentation buckets have not been initialized.
> >
> > Fix crashing by adding extra check: if --ressemble option has not been
> > set and packet exceeds MTU after encapsulation - drop it.
> >
> > Fixes: b01d1cd213 ("examples/ipsec-secgw: support fragmentation and
> reassembly")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Applied to dpdk-next-crypto
Thanks.