session: extra checks in session validation

[vpp.git] / src / vnet / tls / tls.c

diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c
index 3048190..cfe2c3a 100644 (file)
--- a/src/vnet/tls/tls.c
+++ b/src/vnet/tls/tls.c
@@ -358,10 +358,18 @@ void
 tls_session_reset_callback (session_t * s)
 {
   tls_ctx_t *ctx;
+  transport_connection_t *tc;
+  session_t *app_session;
 
   ctx = tls_ctx_get (s->opaque);
-  session_transport_reset_notify (&ctx->connection);
-  session_transport_closed_notify (&ctx->connection);
+  tc = &ctx->connection;
+  if (tls_ctx_handshake_is_over (ctx))
+    {
+      session_transport_reset_notify (tc);
+      session_transport_closed_notify (tc);
+    }
+  else if ((app_session = session_get (tc->s_index, tc->thread_index)))
+    session_free (app_session);
   tls_disconnect_transport (ctx);
 }
 
@@ -386,7 +394,10 @@ tls_session_disconnect_callback (session_t * tls_session)
   TLS_DBG (1, "TCP disconnecting handle %x session %u", tls_session->opaque,
           tls_session->session_index);
 
-  ctx = tls_ctx_get (tls_session->opaque);
+  ASSERT (tls_session->thread_index == vlib_get_thread_index ()
+         || vlib_thread_is_main_w_barrier ());
+
+  ctx = tls_ctx_get_w_thread (tls_session->opaque, tls_session->thread_index);
   ctx->is_passive_close = 1;
   tls_ctx_transport_close (ctx);
 }
@@ -417,7 +428,7 @@ tls_session_accept_callback (session_t * tls_session)
   /* Preallocate app session. Avoids allocating a session post handshake
    * on tls_session rx and potentially invalidating the session pool */
   app_session = session_alloc (ctx->c_thread_index);
-  app_session->session_state = SESSION_STATE_CLOSED;
+  app_session->session_state = SESSION_STATE_CREATED;
   ctx->c_s_index = app_session->session_index;
 
   TLS_DBG (1, "Accept on listener %u new connection [%u]%x",
@@ -484,7 +495,7 @@ tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index,
   /* Preallocate app session. Avoids allocating a session post handshake
    * on tls_session rx and potentially invalidating the session pool */
   app_session = session_alloc (ctx->c_thread_index);
-  app_session->session_state = SESSION_STATE_CLOSED;
+  app_session->session_state = SESSION_STATE_CREATED;
   ctx->c_s_index = app_session->session_index;
 
   return tls_ctx_init_client (ctx);
@@ -881,6 +892,7 @@ static clib_error_t *
 tls_config_fn (vlib_main_t * vm, unformat_input_t * input)
 {
   tls_main_t *tm = &tls_main;
+  uword tmp;
   while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
     {
       if (unformat (input, "use-test-cert-in-ca"))
@@ -890,9 +902,15 @@ tls_config_fn (vlib_main_t * vm, unformat_input_t * input)
       else if (unformat (input, "first-segment-size %U", unformat_memory_size,
                         &tm->first_seg_size))
        ;
-      else if (unformat (input, "fifo-size %U", unformat_memory_size,
-                        &tm->fifo_size))
-       ;
+      else if (unformat (input, "fifo-size %U", unformat_memory_size, &tmp))
+       {
+         if (tmp >= 0x100000000ULL)
+           {
+             return clib_error_return
+               (0, "fifo-size %llu (0x%llx) too large", tmp, tmp);
+           }
+         tm->fifo_size = tmp;
+       }
       else
        return clib_error_return (0, "unknown input `%U'",
                                  format_unformat_error, input);