aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDamjan Marion <damarion@cisco.com>2016-08-16 11:27:02 +0200
committerFlorin Coras <florin.coras@gmail.com>2016-08-17 08:21:42 +0000
commit3f54b18e055a606dd0ade78a370eebb758d8be7d (patch)
treea1e449d7f324401534130f377c83afb7efee8dea
parent607de1a0638fa45db49295f9ed51a7f9a5e38706 (diff)
Fix coverity issues in IPSec code, fixes VPP-189
Change-Id: I4e43606884ebad9a84abda779b82417192727ef3 Signed-off-by: Damjan Marion <damarion@cisco.com>
-rw-r--r--vnet/vnet/ipsec/esp_decrypt.c11
-rw-r--r--vnet/vnet/ipsec/esp_encrypt.c20
-rw-r--r--vnet/vnet/ipsec/ikev2.c2
-rw-r--r--vnet/vnet/ipsec/ipsec_cli.c5
-rw-r--r--vnet/vnet/ipsec/ipsec_output.c8
5 files changed, 29 insertions, 17 deletions
diff --git a/vnet/vnet/ipsec/esp_decrypt.c b/vnet/vnet/ipsec/esp_decrypt.c
index 49b1dfe4735..c350508917b 100644
--- a/vnet/vnet/ipsec/esp_decrypt.c
+++ b/vnet/vnet/ipsec/esp_decrypt.c
@@ -484,11 +484,11 @@ esp_decrypt_node_fn (vlib_main_t * vm,
{
o_b0->flags |= VLIB_BUFFER_IS_TRACED;
o_b0->trace_index = i_b0->trace_index;
+ esp_decrypt_trace_t *tr =
+ vlib_add_trace (vm, node, o_b0, sizeof (*tr));
+ tr->crypto_alg = sa0->crypto_alg;
+ tr->integ_alg = sa0->integ_alg;
}
- esp_decrypt_trace_t *tr =
- vlib_add_trace (vm, node, o_b0, sizeof (*tr));
- tr->crypto_alg = sa0->crypto_alg;
- tr->integ_alg = sa0->integ_alg;
}
vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
@@ -501,7 +501,8 @@ esp_decrypt_node_fn (vlib_main_t * vm,
from_frame->n_vectors);
free_buffers_and_exit:
- vlib_buffer_free (vm, recycle, vec_len (recycle));
+ if (recycle)
+ vlib_buffer_free (vm, recycle, vec_len (recycle));
vec_free (recycle);
return from_frame->n_vectors;
}
diff --git a/vnet/vnet/ipsec/esp_encrypt.c b/vnet/vnet/ipsec/esp_encrypt.c
index 44999bd5beb..45b4b3bb72b 100644
--- a/vnet/vnet/ipsec/esp_encrypt.c
+++ b/vnet/vnet/ipsec/esp_encrypt.c
@@ -270,7 +270,8 @@ esp_encrypt_node_fn (vlib_main_t * vm,
ip_proto = ih0->ip4.protocol;
}
- if (PREDICT_TRUE (sa0->is_tunnel && !sa0->is_tunnel_ip6))
+ if (PREDICT_TRUE
+ (!is_ipv6 && sa0->is_tunnel && !sa0->is_tunnel_ip6))
{
oh0->ip4.src_address.as_u32 = sa0->tunnel_src_addr.ip4.as_u32;
oh0->ip4.dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32;
@@ -279,7 +280,7 @@ esp_encrypt_node_fn (vlib_main_t * vm,
next0 = ESP_ENCRYPT_NEXT_IP4_INPUT;
vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
}
- else if (sa0->is_tunnel && sa0->is_tunnel_ip6)
+ else if (is_ipv6 && sa0->is_tunnel && sa0->is_tunnel_ip6)
{
oh6_0->ip6.src_address.as_u64[0] =
sa0->tunnel_src_addr.ip6.as_u64[0];
@@ -387,13 +388,13 @@ esp_encrypt_node_fn (vlib_main_t * vm,
{
o_b0->flags |= VLIB_BUFFER_IS_TRACED;
o_b0->trace_index = i_b0->trace_index;
+ esp_encrypt_trace_t *tr =
+ vlib_add_trace (vm, node, o_b0, sizeof (*tr));
+ tr->spi = sa0->spi;
+ tr->seq = sa0->seq - 1;
+ tr->crypto_alg = sa0->crypto_alg;
+ tr->integ_alg = sa0->integ_alg;
}
- esp_encrypt_trace_t *tr =
- vlib_add_trace (vm, node, o_b0, sizeof (*tr));
- tr->spi = sa0->spi;
- tr->seq = sa0->seq - 1;
- tr->crypto_alg = sa0->crypto_alg;
- tr->integ_alg = sa0->integ_alg;
}
vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
@@ -407,7 +408,8 @@ esp_encrypt_node_fn (vlib_main_t * vm,
from_frame->n_vectors);
free_buffers_and_exit:
- vlib_buffer_free (vm, recycle, vec_len (recycle));
+ if (recycle)
+ vlib_buffer_free (vm, recycle, vec_len (recycle));
vec_free (recycle);
return from_frame->n_vectors;
}
diff --git a/vnet/vnet/ipsec/ikev2.c b/vnet/vnet/ipsec/ikev2.c
index dd00c9edef3..af9d99dc44c 100644
--- a/vnet/vnet/ipsec/ikev2.c
+++ b/vnet/vnet/ipsec/ikev2.c
@@ -1677,6 +1677,7 @@ ikev2_node_fn (vlib_main_t * vm,
udp_header_t *udp0;
ike_header_t *ike0;
ikev2_sa_t *sa0 = 0;
+ ikev2_sa_t sa; /* temporary store for SA */
int len = 0;
int r;
@@ -1704,7 +1705,6 @@ ikev2_node_fn (vlib_main_t * vm,
if (ike0->exchange == IKEV2_EXCHANGE_SA_INIT)
{
- ikev2_sa_t sa; /* temporary store for SA */
sa0 = &sa;
memset (sa0, 0, sizeof (*sa0));
diff --git a/vnet/vnet/ipsec/ipsec_cli.c b/vnet/vnet/ipsec/ipsec_cli.c
index f25547003b6..8b15110af0d 100644
--- a/vnet/vnet/ipsec/ipsec_cli.c
+++ b/vnet/vnet/ipsec/ipsec_cli.c
@@ -171,7 +171,7 @@ ipsec_spd_add_del_command_fn (vlib_main_t * vm,
vlib_cli_command_t * cmd)
{
unformat_input_t _line_input, *line_input = &_line_input;
- u32 spd_id;
+ u32 spd_id = ~0;
int is_add = ~0;
if (!unformat_user (input, unformat_line_input, line_input))
@@ -192,6 +192,9 @@ ipsec_spd_add_del_command_fn (vlib_main_t * vm,
unformat_free (line_input);
+ if (spd_id == ~0)
+ return clib_error_return (0, "please specify SPD ID");
+
ipsec_add_del_spd (vm, spd_id, is_add);
return 0;
diff --git a/vnet/vnet/ipsec/ipsec_output.c b/vnet/vnet/ipsec/ipsec_output.c
index e72890d1239..c27e8e6a0a5 100644
--- a/vnet/vnet/ipsec/ipsec_output.c
+++ b/vnet/vnet/ipsec/ipsec_output.c
@@ -103,6 +103,9 @@ ipsec_output_policy_match (ipsec_spd_t * spd, u8 pr, u32 la, u32 ra, u16 lp,
ipsec_policy_t *p;
u32 *i;
+ if (!spd)
+ return 0;
+
vec_foreach (i, spd->ipv4_outbound_policies)
{
p = pool_elt_at_index (spd->policies, *i);
@@ -159,6 +162,9 @@ ipsec_output_ip6_policy_match (ipsec_spd_t * spd,
ipsec_policy_t *p;
u32 *i;
+ if (!spd)
+ return 0;
+
vec_foreach (i, spd->ipv6_outbound_policies)
{
p = pool_elt_at_index (spd->policies, *i);
@@ -365,7 +371,7 @@ ipsec_output_node_fn (vlib_main_t * vm,
from += 1;
n_left_from -= 1;
- if (PREDICT_FALSE ((last_next_node_index != next_node_index)))
+ if (PREDICT_FALSE ((last_next_node_index != next_node_index) || f == 0))
{
/* if this is not 1st frame */
if (f)