New upstream version 16.11.8

[deb_dpdk.git] / examples / ipsec-secgw / ipsec-secgw.c

diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 9cccd8a..05c7645 100644 (file)
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -304,6 +304,7 @@ prepare_tx_pkt(struct rte_mbuf *pkt, uint8_t port)
                pkt->l3_len = sizeof(struct ip);
                pkt->l2_len = ETHER_HDR_LEN;
 
+               ip->ip_sum = 0;
                ethhdr->ether_type = rte_cpu_to_be_16(ETHER_TYPE_IPv4);
        } else {
                pkt->ol_flags |= PKT_TX_IPV6;
@@ -409,7 +410,8 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip,
                }
                /* Only check SPI match for processed IPSec packets */
                sa_idx = ip->res[i] & PROTECT_MASK;
-               if (sa_idx == 0 || !inbound_sa_check(sa, m, sa_idx)) {
+               if (sa_idx >= IPSEC_SA_MAX_ENTRIES ||
+                               !inbound_sa_check(sa, m, sa_idx)) {
                        rte_pktmbuf_free(m);
                        continue;
                }
@@ -474,13 +476,15 @@ outbound_sp(struct sp_ctx *sp, struct traffic_type *ip,
        for (i = 0; i < ip->num; i++) {
                m = ip->pkts[i];
                sa_idx = ip->res[i] & PROTECT_MASK;
-               if ((ip->res[i] == 0) || (ip->res[i] & DISCARD))
+               if (ip->res[i] & DISCARD)
                        rte_pktmbuf_free(m);
-               else if (sa_idx != 0) {
+               else if (ip->res[i] & BYPASS)
+                       ip->pkts[j++] = m;
+               else if (sa_idx < IPSEC_SA_MAX_ENTRIES) {
                        ipsec->res[ipsec->num] = sa_idx;
                        ipsec->pkts[ipsec->num++] = m;
-               } else /* BYPASS */
-                       ip->pkts[j++] = m;
+               } else /* invalid SA idx */
+                       rte_pktmbuf_free(m);
        }
        ip->num = j;
 }