ping: fix buffer allocator error handling

The code sets f->n_vectors = n_to_send, but it can bail out of the
loop if vlib_buffer_copy(...) returns 0.

Need to fix f->n_vectors in the error return path, or we enqueue some
number of 0xfefefefe buffer indices in a debug image or worse in a
production image.

Type: fix

Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I2d886266006c6c1c2f9ef8e3b95eb46ac6c0b3df
(cherry picked from commit 8324c55f95dd5ddbf1f5f9c47907204a12e152ef)

diff --git a/src/plugins/ping/ping.c b/src/plugins/ping/ping.c
index 7045648..f56f44f 100755 (executable)
--- a/src/plugins/ping/ping.c
+++ b/src/plugins/ping/ping.c
@@ -933,6 +933,8 @@ ip46_enqueue_packet (vlib_main_t * vm, vlib_buffer_t * b0, u32 burst,
    * we did not enqueue it here yet.
    */
 ship_and_ret:
+  ASSERT (n_to_send <= f->n_vectors);
+  f->n_vectors -= n_to_send;
   n_sent += f->n_vectors;
   vlib_put_frame_to_node (vm, lookup_node_index, f);
   return n_sent;