From: Akhil Goyal Date: Thu, 11 Jan 2018 11:55:36 +0000 (+0530) Subject: examples/ipsec-secgw: fix corner case for SPI value X-Git-Tag: spdx-start~102 X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=2a5106af132b;p=dpdk.git examples/ipsec-secgw: fix corner case for SPI value IPSec application is using index 0 of SA table as error, with current value of IPSEC_SA_MAX_ENTRIES(128) it can not support SA with spi = 128, as it uses sa_idx = 0 in the SA table. With this patch, sa_idx = 0 can also be used. PS: spi = 0 is an invalid SPI and application throws error for it. Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application") Cc: stable@dpdk.org Signed-off-by: Akhil Goyal Acked-by: Radu Nicolau --- diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index 84cc9b1573..192d8ec5bb 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -422,7 +422,8 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, } sa_idx = ip->res[i] & PROTECT_MASK; - if (sa_idx == 0 || !inbound_sa_check(sa, m, sa_idx)) { + if (sa_idx >= IPSEC_SA_MAX_ENTRIES || + !inbound_sa_check(sa, m, sa_idx)) { rte_pktmbuf_free(m); continue; } @@ -487,9 +488,9 @@ outbound_sp(struct sp_ctx *sp, struct traffic_type *ip, for (i = 0; i < ip->num; i++) { m = ip->pkts[i]; sa_idx = ip->res[i] & PROTECT_MASK; - if ((ip->res[i] == 0) || (ip->res[i] & DISCARD)) + if (ip->res[i] & DISCARD) rte_pktmbuf_free(m); - else if (sa_idx != 0) { + else if (sa_idx < IPSEC_SA_MAX_ENTRIES) { ipsec->res[ipsec->num] = sa_idx; ipsec->pkts[ipsec->num++] = m; } else /* BYPASS */ diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 1ae4e2a9c5..25ceea179d 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -240,6 +240,8 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, APP_CHECK_TOKEN_IS_NUM(tokens, 1, status); if (status->status < 0) return; + if (atoi(tokens[1]) == INVALID_SPI) + return; rule->spi = atoi(tokens[1]); for (ti = 2; ti < n_tokens; ti++) {