IPSEC: crypto overflow

decrypting too many bytes.

Change-Id: I4663e70271d9734eda7f9a127967b9224c0e5efc
Signed-off-by: Neale Ranns <nranns@cisco.com>
(cherry picked from commit 0a0c7eef787dbf29c8b018420cb9d244cbe8d2dd)

diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index fc4a99a..759b1d9 100644 (file)
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -234,7 +234,7 @@ esp_decrypt_inline (vlib_main_t * vm,
          op->key = sa0->crypto_key.data;
          op->iv = payload;
          op->src = op->dst = payload += cpd.iv_sz;
-         op->len = len;
+         op->len = len - cpd.iv_sz;
          op->user_data = b - bufs;
        }