Code Review / vpp.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: c576622)
span: crash in span_mirror [VPP-1254] 24/12124/2
authorSteven <sluong@cisco.com>
Wed, 25 Apr 2018 05:43:07 +0000 (22:43 -0700)
committerDamjan Marion <dmarion.lists@gmail.com>
Wed, 25 Apr 2018 16:49:51 +0000 (16:49 +0000)
It is possible for span-input to get call with sw_if_index which is greater than
sm->interfaces and crashes in span_mirror () in the following line

  span_interface_t *si0 = vec_elt_at_index (sm->interfaces, sw_if_index0);

For example, span-input mirrors a main interface as source, it may actually get
call for traffic coming in from the subinterface and crashes.

The fix is simply to check if sw_if_index >= vec_len (sm->interfaces) and
punt if it is.

Change-Id: I8312eb321d638518e14ba2326fffd1a7919646ca
Signed-off-by: Steven <sluong@cisco.com>
(cherry picked from commit 516d63ff2c6671f3b0dc641511a50017a9804179)

src/vnet/span/node.c patch | blob | history

diff --git a/src/vnet/span/node.c b/src/vnet/span/node.c
index 8e2105b..13e92ab 100644 (file)
--- a/src/vnet/span/node.c
+++ b/src/vnet/span/node.c
@@ -70,9 +70,14 @@ span_mirror (vlib_main_t * vm, vlib_node_runtime_t * node, u32 sw_if_index0,
   vnet_main_t *vnm = &vnet_main;
   u32 *to_mirror_next = 0;
   u32 i;
+  span_interface_t *si0;
+  span_mirror_t *sm0;
 
-  span_interface_t *si0 = vec_elt_at_index (sm->interfaces, sw_if_index0);
-  span_mirror_t *sm0 = &si0->mirror_rxtx[sf][rxtx];
+  if (sw_if_index0 >= vec_len (sm->interfaces))
+    return;
+
+  si0 = vec_elt_at_index (sm->interfaces, sw_if_index0);
+  sm0 = &si0->mirror_rxtx[sf][rxtx];
 
   if (sm0->num_mirror_ports == 0)
     return;
Vector Packet Processing