Type: fix
There is a statically allocated array for inbound SAs which can hold
4 IDs. The input parameter containing the IDs of th inbound SAs is a
vector and Its possible to pass a vector with more than 4 elements
and write the memory past the end of the array. Fail if more than 4
SAs are passed in the vector.
Change-Id: I0c9d321c902d6366b8aff816d04e343dcbd110eb
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
format_vnet_sw_if_index_name, vnet_get_main (), sw_if_index,
format_ip_address, nh);
format_vnet_sw_if_index_name, vnet_get_main (), sw_if_index,
format_ip_address, nh);
+ if (vec_len (sas_in) > ITP_MAX_N_SA_IN)
+ {
+ rv = VNET_API_ERROR_LIMIT_EXCEEDED;
+ goto out;
+ }
+
rv = 0;
im = &ipsec_main;
if (NULL == nh)
rv = 0;
im = &ipsec_main;
if (NULL == nh)
ip46_address_t dst;
} ipsec_ep_t;
ip46_address_t dst;
} ipsec_ep_t;
+#define ITP_MAX_N_SA_IN 4
+
typedef struct ipsec_tun_protect_t_
{
CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
typedef struct ipsec_tun_protect_t_
{
CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
/* not using a vector since we want the memory inline
* with this struct */
u32 itp_n_sa_in;
/* not using a vector since we want the memory inline
* with this struct */
u32 itp_n_sa_in;
+ index_t itp_in_sas[ITP_MAX_N_SA_IN];