IPSEC: ESP IPv6 transport mode payload length incorrect (VPP-1653)

Change-Id: I8977100d7a22b50260858bd1ea9db419b53284ff
Signed-off-by: Neale Ranns <[email protected]>

diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index e319a96..f1153d9 100644 (file)
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -402,7 +402,9 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
              ip6_header_t *ip6 = (ip6_header_t *) (ip_hdr);
              *next_hdr_ptr = ip6->protocol;
              ip6->protocol = IP_PROTOCOL_IPSEC_ESP;
-             ip6->payload_length = payload_len + hdr_len - l2_len - ip_len;
+             ip6->payload_length =
+               clib_host_to_net_u16 (payload_len + hdr_len - l2_len -
+                                     ip_len);
            }
          else
            {

diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index efe49f1..b954af1 100644 (file)
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -451,6 +451,8 @@ class IpsecTra6(object):
             recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
                                              self.tra_if)
             for rx in recv_pkts:
+                self.assertEqual(len(rx) - len(Ether()) - len(IPv6()),
+                                 rx[IPv6].plen)
                 try:
                     decrypted = p.vpp_tra_sa.decrypt(rx[IPv6])
                     self.assert_packet_checksums_valid(decrypted)
@@ -648,6 +650,8 @@ class IpsecTun6(object):
                                        count=count)
             recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
             for recv_pkt in recv_pkts:
+                self.assertEqual(len(recv_pkt) - len(Ether()) - len(IPv6()),
+                                 recv_pkt[IPv6].plen)
                 try:
                     decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IPv6])
                     if not decrypt_pkt.haslayer(IPv6):