ipsec: keep esp encrypt pointer and index synced

Type: fix

In esp_encrypt_inline(), an index and pointer to the last processed SA
are stored. If the next packet uses the same SA, we defer on updating
counters until a different SA is encountered.

The pointer was being retrieved, then the SA was checked to see if the
packet should be dropped due to no crypto/integ algs, then the index was
updated. If the check failed, we would skip further processing and now
the pointer refers to a different SA than the index. When you have a
batch of packets that are encrypted using an SA followed by a packet
which is dropped for no algs and then more packets to be encrypted using
the original SA, the packets that arrive after the one that was dropped
end up being processed using a pointer that refers to the wrong SA data.
This can result in a segv.

Update the current_sa_index at the same time that the sa0 pointer is
updated.

Signed-off-by: Matthew Smith <[email protected]>
Change-Id: I65f1511a37475b4f737f5e1b51749c0a30e88806
(cherry picked from commit dac9e566cd16fc375fff14280b37cb5135584fc6)

diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index a836453..8a1ac7e 100644 (file)
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -690,6 +690,7 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
          current_sa_packets = current_sa_bytes = 0;
 
          sa0 = ipsec_sa_get (sa_index0);
+         current_sa_index = sa_index0;
 
          if (PREDICT_FALSE ((sa0->crypto_alg == IPSEC_CRYPTO_ALG_NONE &&
                              sa0->integ_alg == IPSEC_INTEG_ALG_NONE) &&
@@ -701,7 +702,6 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
                                          sa_index0);
              goto trace;
            }
-         current_sa_index = sa_index0;
          vlib_prefetch_combined_counter (&ipsec_sa_counters, thread_index,
                                          current_sa_index);