Fix coverity issues in IPSec code, fixes VPP-189

Change-Id: I4e43606884ebad9a84abda779b82417192727ef3
Signed-off-by: Damjan Marion <damarion@cisco.com>

diff --git a/vnet/vnet/ipsec/esp_decrypt.c b/vnet/vnet/ipsec/esp_decrypt.c
index 49b1dfe..c350508 100644 (file)
--- a/vnet/vnet/ipsec/esp_decrypt.c
+++ b/vnet/vnet/ipsec/esp_decrypt.c
@@ -484,11 +484,11 @@ esp_decrypt_node_fn (vlib_main_t * vm,
                {
                  o_b0->flags |= VLIB_BUFFER_IS_TRACED;
                  o_b0->trace_index = i_b0->trace_index;
+                 esp_decrypt_trace_t *tr =
+                   vlib_add_trace (vm, node, o_b0, sizeof (*tr));
+                 tr->crypto_alg = sa0->crypto_alg;
+                 tr->integ_alg = sa0->integ_alg;
                }
-             esp_decrypt_trace_t *tr =
-               vlib_add_trace (vm, node, o_b0, sizeof (*tr));
-             tr->crypto_alg = sa0->crypto_alg;
-             tr->integ_alg = sa0->integ_alg;
            }
 
          vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
@@ -501,7 +501,8 @@ esp_decrypt_node_fn (vlib_main_t * vm,
                               from_frame->n_vectors);
 
 free_buffers_and_exit:
-  vlib_buffer_free (vm, recycle, vec_len (recycle));
+  if (recycle)
+    vlib_buffer_free (vm, recycle, vec_len (recycle));
   vec_free (recycle);
   return from_frame->n_vectors;
 }

diff --git a/vnet/vnet/ipsec/esp_encrypt.c b/vnet/vnet/ipsec/esp_encrypt.c
index 44999bd..45b4b3b 100644 (file)
--- a/vnet/vnet/ipsec/esp_encrypt.c
+++ b/vnet/vnet/ipsec/esp_encrypt.c
@@ -270,7 +270,8 @@ esp_encrypt_node_fn (vlib_main_t * vm,
              ip_proto = ih0->ip4.protocol;
            }
 
-         if (PREDICT_TRUE (sa0->is_tunnel && !sa0->is_tunnel_ip6))
+         if (PREDICT_TRUE
+             (!is_ipv6 && sa0->is_tunnel && !sa0->is_tunnel_ip6))
            {
              oh0->ip4.src_address.as_u32 = sa0->tunnel_src_addr.ip4.as_u32;
              oh0->ip4.dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32;
@@ -279,7 +280,7 @@ esp_encrypt_node_fn (vlib_main_t * vm,
              next0 = ESP_ENCRYPT_NEXT_IP4_INPUT;
              vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
            }
-         else if (sa0->is_tunnel && sa0->is_tunnel_ip6)
+         else if (is_ipv6 && sa0->is_tunnel && sa0->is_tunnel_ip6)
            {
              oh6_0->ip6.src_address.as_u64[0] =
                sa0->tunnel_src_addr.ip6.as_u64[0];
@@ -387,13 +388,13 @@ esp_encrypt_node_fn (vlib_main_t * vm,
                {
                  o_b0->flags |= VLIB_BUFFER_IS_TRACED;
                  o_b0->trace_index = i_b0->trace_index;
+                 esp_encrypt_trace_t *tr =
+                   vlib_add_trace (vm, node, o_b0, sizeof (*tr));
+                 tr->spi = sa0->spi;
+                 tr->seq = sa0->seq - 1;
+                 tr->crypto_alg = sa0->crypto_alg;
+                 tr->integ_alg = sa0->integ_alg;
                }
-             esp_encrypt_trace_t *tr =
-               vlib_add_trace (vm, node, o_b0, sizeof (*tr));
-             tr->spi = sa0->spi;
-             tr->seq = sa0->seq - 1;
-             tr->crypto_alg = sa0->crypto_alg;
-             tr->integ_alg = sa0->integ_alg;
            }
 
          vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
@@ -407,7 +408,8 @@ esp_encrypt_node_fn (vlib_main_t * vm,
                               from_frame->n_vectors);
 
 free_buffers_and_exit:
-  vlib_buffer_free (vm, recycle, vec_len (recycle));
+  if (recycle)
+    vlib_buffer_free (vm, recycle, vec_len (recycle));
   vec_free (recycle);
   return from_frame->n_vectors;
 }

diff --git a/vnet/vnet/ipsec/ikev2.c b/vnet/vnet/ipsec/ikev2.c
index dd00c9e..af9d99d 100644 (file)
--- a/vnet/vnet/ipsec/ikev2.c
+++ b/vnet/vnet/ipsec/ikev2.c
@@ -1677,6 +1677,7 @@ ikev2_node_fn (vlib_main_t * vm,
          udp_header_t *udp0;
          ike_header_t *ike0;
          ikev2_sa_t *sa0 = 0;
+         ikev2_sa_t sa;        /* temporary store for SA */
          int len = 0;
          int r;
 
@@ -1704,7 +1705,6 @@ ikev2_node_fn (vlib_main_t * vm,
 
          if (ike0->exchange == IKEV2_EXCHANGE_SA_INIT)
            {
-             ikev2_sa_t sa;    /* temporary store for SA */
              sa0 = &sa;
              memset (sa0, 0, sizeof (*sa0));
 

diff --git a/vnet/vnet/ipsec/ipsec_cli.c b/vnet/vnet/ipsec/ipsec_cli.c
index f255470..8b15110 100644 (file)
--- a/vnet/vnet/ipsec/ipsec_cli.c
+++ b/vnet/vnet/ipsec/ipsec_cli.c
@@ -171,7 +171,7 @@ ipsec_spd_add_del_command_fn (vlib_main_t * vm,
                              vlib_cli_command_t * cmd)
 {
   unformat_input_t _line_input, *line_input = &_line_input;
-  u32 spd_id;
+  u32 spd_id = ~0;
   int is_add = ~0;
 
   if (!unformat_user (input, unformat_line_input, line_input))
@@ -192,6 +192,9 @@ ipsec_spd_add_del_command_fn (vlib_main_t * vm,
 
   unformat_free (line_input);
 
+  if (spd_id == ~0)
+    return clib_error_return (0, "please specify SPD ID");
+
   ipsec_add_del_spd (vm, spd_id, is_add);
 
   return 0;

diff --git a/vnet/vnet/ipsec/ipsec_output.c b/vnet/vnet/ipsec/ipsec_output.c
index e72890d..c27e8e6 100644 (file)
--- a/vnet/vnet/ipsec/ipsec_output.c
+++ b/vnet/vnet/ipsec/ipsec_output.c
@@ -103,6 +103,9 @@ ipsec_output_policy_match (ipsec_spd_t * spd, u8 pr, u32 la, u32 ra, u16 lp,
   ipsec_policy_t *p;
   u32 *i;
 
+  if (!spd)
+    return 0;
+
   vec_foreach (i, spd->ipv4_outbound_policies)
   {
     p = pool_elt_at_index (spd->policies, *i);
@@ -159,6 +162,9 @@ ipsec_output_ip6_policy_match (ipsec_spd_t * spd,
   ipsec_policy_t *p;
   u32 *i;
 
+  if (!spd)
+    return 0;
+
   vec_foreach (i, spd->ipv6_outbound_policies)
   {
     p = pool_elt_at_index (spd->policies, *i);
@@ -365,7 +371,7 @@ ipsec_output_node_fn (vlib_main_t * vm,
       from += 1;
       n_left_from -= 1;
 
-      if (PREDICT_FALSE ((last_next_node_index != next_node_index)))
+      if (PREDICT_FALSE ((last_next_node_index != next_node_index) || f == 0))
        {
          /* if this is not 1st frame */
          if (f)