From f6cb04460465d48a155aa3363106a82d160c7328 Mon Sep 17 00:00:00 2001
From: Christian Hopps <chopps@labn.net>
Date: Tue, 14 Jul 2020 08:39:30 -0400
Subject: [PATCH] dpdk-ipsec: don't leak buffers on crypto alloc failure

Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: I4dee2ea723631e1bd95b33a74b9431d984565aef
---
 src/plugins/dpdk/ipsec/esp_decrypt.c | 7 ++++---
 src/plugins/dpdk/ipsec/esp_encrypt.c | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c
index d7817100e4c..dcf7fda915c 100644
--- a/src/plugins/dpdk/ipsec/esp_decrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_decrypt.c
@@ -45,7 +45,7 @@ typedef enum
  _(REPLAY, "SA replayed packet")	         \
  _(NOT_IP, "Not IP packet (dropped)")	         \
  _(ENQ_FAIL, "Enqueue decrypt failed (queue full)")     \
- _(DISCARD, "Not enough crypto operations, discarding frame")  \
+ _(DISCARD, "Not enough crypto operations")      \
  _(BAD_LEN, "Invalid ciphertext length")         \
  _(SESSION, "Failed to get crypto session")      \
  _(NOSUP, "Cipher/Auth not supported")
@@ -121,11 +121,12 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm,
     {
       if (is_ip6)
 	vlib_node_increment_counter (vm, dpdk_esp6_decrypt_node.index,
-				     ESP_DECRYPT_ERROR_DISCARD, 1);
+				     ESP_DECRYPT_ERROR_DISCARD, n_left_from);
       else
 	vlib_node_increment_counter (vm, dpdk_esp4_decrypt_node.index,
-				     ESP_DECRYPT_ERROR_DISCARD, 1);
+				     ESP_DECRYPT_ERROR_DISCARD, n_left_from);
       /* Discard whole frame */
+      vlib_buffer_free (vm, from, n_left_from);
       return n_left_from;
     }
 
diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c
index e78cb2d88d4..d6a55ecfc25 100644
--- a/src/plugins/dpdk/ipsec/esp_encrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_encrypt.c
@@ -46,7 +46,7 @@ typedef enum
  _(RX_PKTS, "ESP pkts received")                    \
  _(SEQ_CYCLED, "Sequence number cycled")            \
  _(ENQ_FAIL, "Enqueue encrypt failed (queue full)")     \
- _(DISCARD, "Not enough crypto operations, discarding frame")  \
+ _(DISCARD, "Not enough crypto operations")         \
  _(SESSION, "Failed to get crypto session")         \
  _(NOSUP, "Cipher/Auth not supported")
 
@@ -141,11 +141,12 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
     {
       if (is_ip6)
 	vlib_node_increment_counter (vm, dpdk_esp6_encrypt_node.index,
-				     ESP_ENCRYPT_ERROR_DISCARD, 1);
+				     ESP_ENCRYPT_ERROR_DISCARD, n_left_from);
       else
 	vlib_node_increment_counter (vm, dpdk_esp4_encrypt_node.index,
-				     ESP_ENCRYPT_ERROR_DISCARD, 1);
+				     ESP_ENCRYPT_ERROR_DISCARD, n_left_from);
       /* Discard whole frame */
+      vlib_buffer_free (vm, from, n_left_from);
       return n_left_from;
     }
 
-- 
2.16.6