aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFilip Tehlar <ftehlar@cisco.com>2020-11-10 09:32:13 +0000
committerAndrew Yourtchenko <ayourtch@gmail.com>2020-11-26 15:02:41 +0000
commit49de3282a3101dcc89e417d3c80a5af91d72a158 (patch)
tree648c87f9be79f6ea645330c960493a3f306cbdd6
parent29ad98844bc90fb6780642cabe6fb074e6930628 (diff)
ikev2: fix memleak when tunnel protect fails
Type: fix Change-Id: I1d278fc2b03b948c054ff1686315635ac0278ae8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Signed-off-by: BenoƮt Ganne <bganne@cisco.com> (cherry picked from commit 727082016f8822edcf40662d0059d3e8fab5e2ef)
-rw-r--r--src/plugins/ikev2/ikev2.c51
1 files changed, 35 insertions, 16 deletions
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index 30e2a48ee84..d64ea6a88cd 100644
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -1862,21 +1862,37 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
vec_add1 (sas_in, a->old_remote_sa_id);
}
- rv |= ipsec_sa_add_and_lock (a->local_sa_id,
- a->local_spi,
- IPSEC_PROTOCOL_ESP, a->encr_type,
- &a->loc_ckey, a->integ_type, &a->loc_ikey,
- a->flags, 0, a->salt_local, &a->local_ip,
- &a->remote_ip, NULL, a->src_port, a->dst_port);
- rv |= ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi,
- IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey,
- a->integ_type, &a->rem_ikey,
- (a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0,
- a->salt_remote, &a->remote_ip,
- &a->local_ip, NULL, a->ipsec_over_udp_port,
- a->ipsec_over_udp_port);
-
- rv |= ipsec_tun_protect_update (sw_if_index, NULL, a->local_sa_id, sas_in);
+ rv = ipsec_sa_add_and_lock (a->local_sa_id,
+ a->local_spi,
+ IPSEC_PROTOCOL_ESP, a->encr_type,
+ &a->loc_ckey, a->integ_type, &a->loc_ikey,
+ a->flags, 0, a->salt_local, &a->local_ip,
+ &a->remote_ip, NULL, a->src_port, a->dst_port);
+ if (rv)
+ goto err0;
+
+ rv = ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi,
+ IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey,
+ a->integ_type, &a->rem_ikey,
+ (a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0,
+ a->salt_remote, &a->remote_ip,
+ &a->local_ip, NULL, a->ipsec_over_udp_port,
+ a->ipsec_over_udp_port);
+ if (rv)
+ goto err1;
+
+ rv = ipsec_tun_protect_update (sw_if_index, NULL, a->local_sa_id, sas_in);
+ if (rv)
+ goto err2;
+
+ return;
+
+err2:
+ ipsec_sa_unlock_id (a->remote_sa_id);
+err1:
+ ipsec_sa_unlock_id (a->local_sa_id);
+err0:
+ vec_free (sas_in);
}
static int
@@ -4689,7 +4705,10 @@ ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa,
u32 *sas_in = NULL;
vec_add1 (sas_in, csa->remote_sa_id);
vlib_worker_thread_barrier_sync (vm);
- ipsec_tun_protect_update (sw_if_index, NULL, csa->local_sa_id, sas_in);
+ int rv = ipsec_tun_protect_update (sw_if_index, NULL,
+ csa->local_sa_id, sas_in);
+ if (rv)
+ vec_free (sas_in);
ipsec_sa_unlock_id (ikev2_flip_alternate_sa_bit (csa->remote_sa_id));
vlib_worker_thread_barrier_release (vm);
}