dpdk-ipsec: don't leak buffers on crypto alloc failure

[vpp.git] / src / plugins / dpdk / ipsec / esp_decrypt.c

diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c
index d781710..dcf7fda 100644 (file)
--- a/src/plugins/dpdk/ipsec/esp_decrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_decrypt.c
@@ -45,7 +45,7 @@ typedef enum
  _(REPLAY, "SA replayed packet")                \
  _(NOT_IP, "Not IP packet (dropped)")           \
  _(ENQ_FAIL, "Enqueue decrypt failed (queue full)")     \
- _(DISCARD, "Not enough crypto operations, discarding frame")  \
+ _(DISCARD, "Not enough crypto operations")      \
  _(BAD_LEN, "Invalid ciphertext length")         \
  _(SESSION, "Failed to get crypto session")      \
  _(NOSUP, "Cipher/Auth not supported")
@@ -121,11 +121,12 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm,
     {
       if (is_ip6)
        vlib_node_increment_counter (vm, dpdk_esp6_decrypt_node.index,
-                                    ESP_DECRYPT_ERROR_DISCARD, 1);
+                                    ESP_DECRYPT_ERROR_DISCARD, n_left_from);
       else
        vlib_node_increment_counter (vm, dpdk_esp4_decrypt_node.index,
-                                    ESP_DECRYPT_ERROR_DISCARD, 1);
+                                    ESP_DECRYPT_ERROR_DISCARD, n_left_from);
       /* Discard whole frame */
+      vlib_buffer_free (vm, from, n_left_from);
       return n_left_from;
     }