aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew G Smith <mgsmith@netgate.com>2019-05-22 13:34:08 -0500
committerDamjan Marion <dmarion@me.com>2019-05-30 08:41:20 +0000
commit2a2e5938a3a019f94b4acf53191bf4a42d72c68a (patch)
tree1166583492cd5a43aa664596f7123798e32e50d8
parent734d430f37251bc7e71d507983ee640ae1625fbe (diff)
IPsec: modify post-decrypt buf len calculation
For tunnel mode, after decryption the buffer length was being adjusted by adding (iv length + esp header size). Subtract it instead. Required for BFD to work on an IPsec tunnel interface. BFD verifies that the amount of received data is the expected size. It drops the packet if the buffer metadata says that the packet buffer contains more data than the packet headers say it should. Change-Id: I3146d5c3cbf1cceccc9989eefbc9a59e604e9975 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
-rw-r--r--src/vnet/ipsec/esp_decrypt.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index a66eae7aadd..8272bb0dbcb 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -424,13 +424,13 @@ esp_decrypt_inline (vlib_main_t * vm,
{
next[0] = ESP_DECRYPT_NEXT_IP4_INPUT;
b[0]->current_data = pd->current_data + adv;
- b[0]->current_length = pd->current_length + adv - tail;
+ b[0]->current_length = pd->current_length - adv - tail;
}
else if (f->next_header == IP_PROTOCOL_IPV6)
{
next[0] = ESP_DECRYPT_NEXT_IP6_INPUT;
b[0]->current_data = pd->current_data + adv;
- b[0]->current_length = pd->current_length + adv - tail;
+ b[0]->current_length = pd->current_length - adv - tail;
}
else
{