ipsec: fix integer overflow

Type: fix
Coverity issue: 394440

Change-Id: I915a088145ee1317a7c8746b517f4af50323aa11
Signed-off-by: Fan Zhang <fanzhang.oss@gmail.com>

diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index 4f73f1e..640d928 100644 (file)
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -486,7 +486,7 @@ ipsec_sa_anti_replay_and_sn_advance (const ipsec_sa_t *sa, u32 seq,
       return 0;
     }
 
-  if (PREDICT_TRUE (sa->seq >= window_size - 1))
+  if (PREDICT_TRUE (window_size > 0 && sa->seq >= window_size - 1))
     {
       /*
        * the last sequence number VPP received is more than one