span: crash in span_mirror [VPP-1254]

It is possible for span-input to get call with sw_if_index which is greater than
sm->interfaces and crashes in span_mirror () in the following line

  span_interface_t *si0 = vec_elt_at_index (sm->interfaces, sw_if_index0);

For example, span-input mirrors a main interface as source, it may actually get
call for traffic coming in from the subinterface and crashes.

The fix is simply to check if sw_if_index >= vec_len (sm->interfaces) and
punt if it is.

Change-Id: I8312eb321d638518e14ba2326fffd1a7919646ca
Signed-off-by: Steven <sluong@cisco.com>

1 files changed, 7 insertions, 2 deletions

diff --git a/src/vnet/span/node.c b/src/vnet/span/node.c
index 8e2105bcc82..13e92abd5eb 100644
--- a/src/vnet/span/node.c
+++ b/src/vnet/span/node.c
@@ -70,9 +70,14 @@ span_mirror (vlib_main_t * vm, vlib_node_runtime_t * node, u32 sw_if_index0,
   vnet_main_t *vnm = &vnet_main;
   u32 *to_mirror_next = 0;
   u32 i;
+  span_interface_t *si0;
+  span_mirror_t *sm0;
 
-  span_interface_t *si0 = vec_elt_at_index (sm->interfaces, sw_if_index0);
-  span_mirror_t *sm0 = &si0->mirror_rxtx[sf][rxtx];
+  if (sw_if_index0 >= vec_len (sm->interfaces))
+    return;
+
+  si0 = vec_elt_at_index (sm->interfaces, sw_if_index0);
+  sm0 = &si0->mirror_rxtx[sf][rxtx];
 
   if (sm0->num_mirror_ports == 0)
     return;