From: Andrew Yourtchenko Date: Thu, 4 Oct 2018 13:11:01 +0000 (+0200) Subject: acl-plugin: tuplemerge: avoid batch-resize of the applied entries vector - VPP-1352 X-Git-Tag: v18.10-rc1~28 X-Git-Url: https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commitdiff_plain;h=6f40a8a4c5792c5c5e5c77366e98b1f10370d685 acl-plugin: tuplemerge: avoid batch-resize of the applied entries vector - VPP-1352 If the number of rules within a given partition exceeds the limit, the split_partition() might get called, in which we calculate the relaxed mask, create a new partition with that mask and attempt to reallocate some entries from the overcrowded partition. The non-TM code was pre-expanding the vector with rules by the number of rules in the new ACL being applied - which caused the split_partition() to iterate over the rules filled with zeroes. Most of the time it is benign, but if a newly created relaxed partition is such that these entries can be "relocated", then the code attempts to do so, which does not end well. Change-Id: I2dbf3ccd29ff97277b21cdb11c4424ff0915c3b7 Signed-off-by: Andrew Yourtchenko --- diff --git a/src/plugins/acl/hash_lookup.c b/src/plugins/acl/hash_lookup.c index f2913a933d0..c37aae44a98 100644 --- a/src/plugins/acl/hash_lookup.c +++ b/src/plugins/acl/hash_lookup.c @@ -734,12 +734,16 @@ hash_acl_apply(acl_main_t *am, u32 lc_index, int acl_index, u32 acl_position) * ACL, so the change adding this code also takes care of that. */ - /* expand the applied aces vector by the necessary amount */ - vec_resize((*applied_hash_aces), vec_len(ha->rules)); vec_validate(am->hash_applied_mask_info_vec_by_lc_index, lc_index); /* add the rules from the ACL to the hash table for lookup and append to the vector*/ for(i=0; i < vec_len(ha->rules); i++) { + /* + * Expand the applied aces vector to fit a new entry. + * One by one not to upset split_partition() if it is called. + */ + vec_resize((*applied_hash_aces), 1); + int is_ip6 = ha->rules[i].match.pkt.is_ip6; u32 new_index = base_offset + i; applied_hash_ace_entry_t *pae = vec_elt_at_index((*applied_hash_aces), new_index);