ipsec: fix esp trace seq number overflow

Do not copy invalid seq number if packet is too small.

Type: fix

Change-Id: I1e78f5920e9645521f57efccaf35bbf9ce0676a8
Signed-off-by: Benoît Ganne <bganne@cisco.com>

diff --git a/src/vnet/ipsec/ipsec_if_in.c b/src/vnet/ipsec/ipsec_if_in.c
index f9341d6..974227f 100644 (file)
--- a/src/vnet/ipsec/ipsec_if_in.c
+++ b/src/vnet/ipsec/ipsec_if_in.c
@@ -457,7 +457,9 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
              else
                clib_memcpy (&tr->key4, &key40, sizeof (tr->key4));
              tr->is_ip6 = is_ip6;
-             tr->seq = clib_host_to_net_u32 (esp0->seq);
+             tr->seq =
+               len0 >=
+               sizeof (*esp0) ? clib_host_to_net_u32 (esp0->seq) : ~0;
            }
          if (b[1]->flags & VLIB_BUFFER_IS_TRACED)
            {
@@ -468,7 +470,9 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
              else
                clib_memcpy (&tr->key4, &key41, sizeof (tr->key4));
              tr->is_ip6 = is_ip6;
-             tr->seq = clib_host_to_net_u32 (esp1->seq);
+             tr->seq =
+               len1 >=
+               sizeof (*esp1) ? clib_host_to_net_u32 (esp1->seq) : ~0;
            }
        }
 
@@ -641,7 +645,9 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
              else
                clib_memcpy (&tr->key4, &key40, sizeof (tr->key4));
              tr->is_ip6 = is_ip6;
-             tr->seq = clib_host_to_net_u32 (esp0->seq);
+             tr->seq =
+               len0 >=
+               sizeof (*esp0) ? clib_host_to_net_u32 (esp0->seq) : ~0;
            }
        }
 

diff --git a/src/vnet/ipsec/ipsec_tun_in.c b/src/vnet/ipsec/ipsec_tun_in.c
index 04f7a92..d88cc08 100644 (file)
--- a/src/vnet/ipsec/ipsec_tun_in.c
+++ b/src/vnet/ipsec/ipsec_tun_in.c
@@ -376,7 +376,9 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
              else
                clib_memcpy (&tr->key4, &key40, sizeof (tr->key4));
              tr->is_ip6 = is_ip6;
-             tr->seq = clib_host_to_net_u32 (esp0->seq);
+             tr->seq =
+               len0 >=
+               sizeof (*esp0) ? clib_host_to_net_u32 (esp0->seq) : ~0;
            }
        }