X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;ds=sidebyside;f=src%2Fvnet%2Fipsec%2Fesp_encrypt.c;h=d28f4f5e4255249a7fe1cabfb2136b3eda20bf37;hb=93688d7341ada44755dc0432de3e3dbaaa8aa111;hp=0d29604e61ff497c8223a439d89443b34c17161e;hpb=6fdcc3daa40ebfcb793998b6e4527dd6db03cfb7;p=vpp.git diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 0d29604e61f..d28f4f5e425 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -23,6 +23,7 @@ #include #include +#include #include #include @@ -43,31 +44,6 @@ typedef enum ESP_ENCRYPT_N_NEXT, } esp_encrypt_next_t; -#define foreach_esp_encrypt_error \ - _ (RX_PKTS, "ESP pkts received") \ - _ (POST_RX_PKTS, "ESP-post pkts received") \ - _ (HANDOFF, "Hand-off") \ - _ (SEQ_CYCLED, "sequence number cycled (packet dropped)") \ - _ (CRYPTO_ENGINE_ERROR, "crypto engine error (packet dropped)") \ - _ (CRYPTO_QUEUE_FULL, "crypto queue full (packet dropped)") \ - _ (NO_BUFFERS, "no buffers (packet dropped)") \ - _ (NO_PROTECTION, "no protecting SA (packet dropped)") \ - _ (NO_ENCRYPTION, "no Encrypting SA (packet dropped)") - -typedef enum -{ -#define _(sym,str) ESP_ENCRYPT_ERROR_##sym, - foreach_esp_encrypt_error -#undef _ - ESP_ENCRYPT_N_ERROR, -} esp_encrypt_error_t; - -static char *esp_encrypt_error_strings[] = { -#define _(sym,string) string, - foreach_esp_encrypt_error -#undef _ -}; - typedef struct { u32 sa_index; @@ -84,6 +60,8 @@ typedef struct u32 next_index; } esp_encrypt_post_trace_t; +typedef vl_counter_esp_encrypt_enum_t esp_encrypt_error_t; + /* packet trace format function */ static u8 * format_esp_encrypt_trace (u8 * s, va_list * args) @@ -225,9 +203,8 @@ esp_get_ip6_hdr_len (ip6_header_t * ip6, ip6_ext_header_t ** ext_hdr) return len; } - p = (void *) (ip6 + 1); + p = ip6_next_header (ip6); len += ip6_ext_header_len (p); - while (ext_hdr_is_pre_esp (p->next_hdr)) { len += ip6_ext_header_len (p); @@ -842,16 +819,28 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, } else /* transport mode */ { - u8 *l2_hdr, l2_len, *ip_hdr, ip_len; + u8 *l2_hdr, l2_len, *ip_hdr; + u16 ip_len; ip6_ext_header_t *ext_hdr; udp_header_t *udp = 0; u16 udp_len = 0; u8 *old_ip_hdr = vlib_buffer_get_current (b[0]); + /* + * Get extension header chain length. It might be longer than the + * buffer's pre_data area. + */ ip_len = (VNET_LINK_IP6 == lt ? esp_get_ip6_hdr_len ((ip6_header_t *) old_ip_hdr, &ext_hdr) : ip4_header_bytes ((ip4_header_t *) old_ip_hdr)); + if ((old_ip_hdr - ip_len) < &b[0]->pre_data[0]) + { + err = ESP_ENCRYPT_ERROR_NO_BUFFERS; + esp_set_next_index (b[0], node, err, n_noop, noop_nexts, + drop_next); + goto trace; + } vlib_buffer_advance (b[0], ip_len); payload = vlib_buffer_get_current (b[0]); @@ -995,7 +984,6 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { tr->sa_index = sa_index0; tr->spi = sa0->spi; - tr->spi = sa0->spi; tr->seq = sa0->seq; tr->sa_seq_hi = sa0->seq_hi; tr->udp_encap = ipsec_sa_is_set_UDP_ENCAP (sa0); @@ -1056,7 +1044,7 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { n_noop += esp_async_recycle_failed_submit ( vm, *async_frame, node, ESP_ENCRYPT_ERROR_CRYPTO_ENGINE_ERROR, - n_sync, noop_bi, noop_nexts, drop_next); + n_noop, noop_bi, noop_nexts, drop_next); vnet_crypto_async_reset_frame (*async_frame); vnet_crypto_async_free_frame (vm, *async_frame); } @@ -1172,8 +1160,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_node) = { .format_trace = format_esp_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN (esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { [ESP_ENCRYPT_NEXT_DROP4] = "ip4-drop", @@ -1201,8 +1189,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp4-encrypt", - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1222,8 +1210,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp4-encrypt", - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1242,8 +1230,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp4-encrypt", - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1262,8 +1250,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_tun_node) = { .format_trace = format_esp_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { @@ -1292,8 +1280,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_tun_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp4-encrypt-tun", - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1312,8 +1300,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_tun_node) = { .format_trace = format_esp_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { @@ -1344,8 +1332,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_tun_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp-mpls-encrypt-tun", - .n_errors = ARRAY_LEN (esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1362,8 +1350,8 @@ VLIB_REGISTER_NODE (esp_mpls_encrypt_tun_node) = { .format_trace = format_esp_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { @@ -1390,8 +1378,8 @@ VLIB_REGISTER_NODE (esp_mpls_encrypt_tun_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp-mpls-encrypt-tun", - .n_errors = ARRAY_LEN (esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; #ifndef CLIB_MARCH_VARIANT