nat: fix ICMP checksum validation

[vpp.git] / src / plugins / nat / nat44-ed / nat44_ed.c

diff --git a/src/plugins/nat/nat44-ed/nat44_ed.c b/src/plugins/nat/nat44-ed/nat44_ed.c
index 4e13907..8ad971d 100644 (file)
--- a/src/plugins/nat/nat44-ed/nat44_ed.c
+++ b/src/plugins/nat/nat44-ed/nat44_ed.c
@@ -3694,15 +3694,6 @@ nat_6t_flow_icmp_translate (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
          return NAT_ED_TRNSL_ERR_PACKET_TRUNCATED;
        }
 
-      ssize_t icmp_offset = (u8 *) icmp - (u8 *) vlib_buffer_get_current (b);
-      ip_csum_t sum =
-       ip_incremental_checksum (0, icmp, b->current_length - icmp_offset);
-      sum = (u16) ~ip_csum_fold (sum);
-      if (sum != 0)
-       {
-         return NAT_ED_TRNSL_ERR_INVALID_CSUM;
-       }
-
       if (!icmp_type_is_error_message (icmp->type))
        {
          if ((f->ops & NAT_FLOW_OP_ICMP_ID_REWRITE) &&
@@ -3718,6 +3709,15 @@ nat_6t_flow_icmp_translate (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
        }
       else
        {
+         ip_csum_t sum = ip_incremental_checksum (
+           0, icmp,
+           clib_net_to_host_u16 (ip->length) - ip4_header_bytes (ip));
+         sum = (u16) ~ip_csum_fold (sum);
+         if (sum != 0)
+           {
+             return NAT_ED_TRNSL_ERR_INVALID_CSUM;
+           }
+
          // errors are not fragmented
          ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);