[dpdk-stable] patch 'examples/ipsec-secgw: fix corner case for SPI value' has been queued to LTS release 16.11.5

luca.boccassi at gmail.com luca.boccassi at gmail.com
Fri Jan 26 14:13:29 CET 2018

Previous message: [dpdk-stable] patch 'test/crypto: fix missing include' has been queued to LTS release 16.11.5
Next message: [dpdk-stable] patch 'net/i40e: fix flag for MAC address write' has been queued to LTS release 16.11.5
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to LTS release 16.11.5

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 01/28/18. So please
shout if anyone has objections.

Thanks.

Luca Boccassi

---
>From 2a55bf3ff700e901b9d337f4c7e74808077bed09 Mon Sep 17 00:00:00 2001
From: Akhil Goyal <akhil.goyal at nxp.com>
Date: Thu, 11 Jan 2018 17:25:36 +0530
Subject: [PATCH] examples/ipsec-secgw: fix corner case for SPI value

[ upstream commit 2a5106af132b6cd740769714cb5096ee3654469e ]

IPSec application is using index 0 of SA table as error,
with current value of IPSEC_SA_MAX_ENTRIES(128) it can
not support SA with spi = 128, as it uses sa_idx = 0
in the SA table.

With this patch, sa_idx = 0 can also be used.

PS: spi = 0 is an invalid SPI and application throws error
for it.

Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application")

Signed-off-by: Akhil Goyal <akhil.goyal at nxp.com>
Acked-by: Radu Nicolau <radu.nicolau at intel.com>
---
 examples/ipsec-secgw/ipsec-secgw.c | 7 ++++---
 examples/ipsec-secgw/sa.c          | 2 ++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index 9cccd8a0b..3c1ea16d5 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -409,7 +409,8 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip,
 		}
 		/* Only check SPI match for processed IPSec packets */
 		sa_idx = ip->res[i] & PROTECT_MASK;
-		if (sa_idx == 0 || !inbound_sa_check(sa, m, sa_idx)) {
+		if (sa_idx >= IPSEC_SA_MAX_ENTRIES ||
+				!inbound_sa_check(sa, m, sa_idx)) {
 			rte_pktmbuf_free(m);
 			continue;
 		}
@@ -474,9 +475,9 @@ outbound_sp(struct sp_ctx *sp, struct traffic_type *ip,
 	for (i = 0; i < ip->num; i++) {
 		m = ip->pkts[i];
 		sa_idx = ip->res[i] & PROTECT_MASK;
-		if ((ip->res[i] == 0) || (ip->res[i] & DISCARD))
+		if (ip->res[i] & DISCARD)
 			rte_pktmbuf_free(m);
-		else if (sa_idx != 0) {
+		else if (sa_idx < IPSEC_SA_MAX_ENTRIES) {
 			ipsec->res[ipsec->num] = sa_idx;
 			ipsec->pkts[ipsec->num++] = m;
 		} else /* BYPASS */
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 8c4406cf8..513959c6e 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -232,6 +232,8 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 	APP_CHECK_TOKEN_IS_NUM(tokens, 1, status);
 	if (status->status < 0)
 		return;
+	if (atoi(tokens[1]) == INVALID_SPI)
+		return;
 	rule->spi = atoi(tokens[1]);
 
 	for (ti = 2; ti < n_tokens; ti++) {
-- 
2.14.2

Previous message: [dpdk-stable] patch 'test/crypto: fix missing include' has been queued to LTS release 16.11.5
Next message: [dpdk-stable] patch 'net/i40e: fix flag for MAC address write' has been queued to LTS release 16.11.5
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list