IPsec: modify post-decrypt buf len calculation

For tunnel mode, after decryption the buffer length was being adjusted by adding (iv length + esp header size). Subtract it instead. Required for BFD to work on an IPsec tunnel interface. BFD verifies that the amount of received data is the expected size. It drops the packet if the buffer metadata says that the packet buffer contains more data than the packet headers say it should. Change-Id: I3146d5c3cbf1cceccc9989eefbc9a59e604e9975 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
author: Matthew G Smith <mgsmith@netgate.com> 2019-05-22 13:34:08 -0500
committer: Damjan Marion <dmarion@me.com> 2019-05-30 08:41:20 +0000
commit: 2a2e5938a3a019f94b4acf53191bf4a42d72c68a (patch)
tree: 1166583492cd5a43aa664596f7123798e32e50d8
parent: 734d430f37251bc7e71d507983ee640ae1625fbe (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index a66eae7aadd..8272bb0dbcb 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -424,13 +424,13 @@ esp_decrypt_inline (vlib_main_t * vm,
 	    {
 	      next[0] = ESP_DECRYPT_NEXT_IP4_INPUT;
 	      b[0]->current_data = pd->current_data + adv;
-	      b[0]->current_length = pd->current_length + adv - tail;
+	      b[0]->current_length = pd->current_length - adv - tail;
 	    }
 	  else if (f->next_header == IP_PROTOCOL_IPV6)
 	    {
 	      next[0] = ESP_DECRYPT_NEXT_IP6_INPUT;
 	      b[0]->current_data = pd->current_data + adv;
-	      b[0]->current_length = pd->current_length + adv - tail;
+	      b[0]->current_length = pd->current_length - adv - tail;
 	    }
 	  else
 	    {
author	Matthew G Smith <mgsmith@netgate.com>	2019-05-22 13:34:08 -0500
committer	Damjan Marion <dmarion@me.com>	2019-05-30 08:41:20 +0000
commit	2a2e5938a3a019f94b4acf53191bf4a42d72c68a (patch)
tree	1166583492cd5a43aa664596f7123798e32e50d8
parent	734d430f37251bc7e71d507983ee640ae1625fbe (diff)