Code Review / vpp.git / commit
? search:
summary | shortlog | log | commit | commitdiff | review | tree
(parent: 43ba292) | patch
ipsec: drop outbound ESP when no crypto alg set 93/20593/2
authorMatthew Smith <mgsmith@netgate.com>
Mon, 8 Jul 2019 19:45:04 +0000 (14:45 -0500)
committerNeale Ranns <nranns@cisco.com>
Fri, 12 Jul 2019 14:23:28 +0000 (14:23 +0000)
commit401aedfb032d69daa876544e8e0a2973d69c50ac
tree4c4caf2f1a84bc0548b5973fc5794bab487e2649tree | snapshot
parent43ba29267b1f1db04cba0af1f994a5c8477ca870commit | diff
ipsec: drop outbound ESP when no crypto alg set

Type: fix

If a tunnel interface has the crypto alg set on the outbound SA to
IPSEC_CRYPTO_ALG_NONE and packets are sent out that interface,
the attempt to write an ESP trailer on the packet occurs at the
wrong offset and the vnet buffer opaque data is corrupted, which
can result in a SEGV when a subsequent node attempts to use that
data.

When an outbound SA is set on a tunnel interface which has no crypto
alg set, add a node to the ip{4,6}-output feature arcs which drops all
packets leaving that interface instead of adding the node which would
try to encrypt the packets.

Change-Id: Ie0ac8d8fdc8a035ab8bb83b72b6a94161bebaa48
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
src/vnet/ipsec/esp_encrypt.c diff | blob | history
src/vnet/ipsec/ipsec.c diff | blob | history
src/vnet/ipsec/ipsec.h diff | blob | history
src/vnet/ipsec/ipsec_if.c diff | blob | history
Vector Packet Processing