diff options
| author |   Damjan Marion <damarion@cisco.com> | 2016-08-16 11:27:02 +0200 |
|---|---|---|
| committer |   Florin Coras <florin.coras@gmail.com> | 2016-08-17 08:21:42 +0000 |
| commit | 3f54b18e055a606dd0ade78a370eebb758d8be7d (patch) | |
| tree | a1e449d7f324401534130f377c83afb7efee8dea | |
| parent | 607de1a0638fa45db49295f9ed51a7f9a5e38706 (diff) | |
Fix coverity issues in IPSec code, fixes VPP-189
Change-Id: I4e43606884ebad9a84abda779b82417192727ef3
Signed-off-by: Damjan Marion <damarion@cisco.com>
| -rw-r--r-- | vnet/vnet/ipsec/esp_decrypt.c | 11 | ||||
| -rw-r--r-- | vnet/vnet/ipsec/esp_encrypt.c | 20 | ||||
| -rw-r--r-- | vnet/vnet/ipsec/ikev2.c | 2 | ||||
| -rw-r--r-- | vnet/vnet/ipsec/ipsec_cli.c | 5 | ||||
| -rw-r--r-- | vnet/vnet/ipsec/ipsec_output.c | 8 |
5 files changed, 29 insertions, 17 deletions
diff --git a/vnet/vnet/ipsec/esp_decrypt.c b/vnet/vnet/ipsec/esp_decrypt.c index 49b1dfe4735..c350508917b 100644 --- a/vnet/vnet/ipsec/esp_decrypt.c +++ b/vnet/vnet/ipsec/esp_decrypt.c @@ -484,11 +484,11 @@ esp_decrypt_node_fn (vlib_main_t * vm, { o_b0->flags |= VLIB_BUFFER_IS_TRACED; o_b0->trace_index = i_b0->trace_index; + esp_decrypt_trace_t *tr = + vlib_add_trace (vm, node, o_b0, sizeof (*tr)); + tr->crypto_alg = sa0->crypto_alg; + tr->integ_alg = sa0->integ_alg; } - esp_decrypt_trace_t *tr = - vlib_add_trace (vm, node, o_b0, sizeof (*tr)); - tr->crypto_alg = sa0->crypto_alg; - tr->integ_alg = sa0->integ_alg; } vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, @@ -501,7 +501,8 @@ esp_decrypt_node_fn (vlib_main_t * vm, from_frame->n_vectors); free_buffers_and_exit: - vlib_buffer_free (vm, recycle, vec_len (recycle)); + if (recycle) + vlib_buffer_free (vm, recycle, vec_len (recycle)); vec_free (recycle); return from_frame->n_vectors; } diff --git a/vnet/vnet/ipsec/esp_encrypt.c b/vnet/vnet/ipsec/esp_encrypt.c index 44999bd5beb..45b4b3bb72b 100644 --- a/vnet/vnet/ipsec/esp_encrypt.c +++ b/vnet/vnet/ipsec/esp_encrypt.c @@ -270,7 +270,8 @@ esp_encrypt_node_fn (vlib_main_t * vm, ip_proto = ih0->ip4.protocol; } - if (PREDICT_TRUE (sa0->is_tunnel && !sa0->is_tunnel_ip6)) + if (PREDICT_TRUE + (!is_ipv6 && sa0->is_tunnel && !sa0->is_tunnel_ip6)) { oh0->ip4.src_address.as_u32 = sa0->tunnel_src_addr.ip4.as_u32; oh0->ip4.dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32; @@ -279,7 +280,7 @@ esp_encrypt_node_fn (vlib_main_t * vm, next0 = ESP_ENCRYPT_NEXT_IP4_INPUT; vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; } - else if (sa0->is_tunnel && sa0->is_tunnel_ip6) + else if (is_ipv6 && sa0->is_tunnel && sa0->is_tunnel_ip6) { oh6_0->ip6.src_address.as_u64[0] = sa0->tunnel_src_addr.ip6.as_u64[0]; @@ -387,13 +388,13 @@ esp_encrypt_node_fn (vlib_main_t * vm, { o_b0->flags |= VLIB_BUFFER_IS_TRACED; o_b0->trace_index = i_b0->trace_index; + esp_encrypt_trace_t *tr = + vlib_add_trace (vm, node, o_b0, sizeof (*tr)); + tr->spi = sa0->spi; + tr->seq = sa0->seq - 1; + tr->crypto_alg = sa0->crypto_alg; + tr->integ_alg = sa0->integ_alg; } - esp_encrypt_trace_t *tr = - vlib_add_trace (vm, node, o_b0, sizeof (*tr)); - tr->spi = sa0->spi; - tr->seq = sa0->seq - 1; - tr->crypto_alg = sa0->crypto_alg; - tr->integ_alg = sa0->integ_alg; } vlib_validate_buffer_enqueue_x1 (vm, node, next_index, @@ -407,7 +408,8 @@ esp_encrypt_node_fn (vlib_main_t * vm, from_frame->n_vectors); free_buffers_and_exit: - vlib_buffer_free (vm, recycle, vec_len (recycle)); + if (recycle) + vlib_buffer_free (vm, recycle, vec_len (recycle)); vec_free (recycle); return from_frame->n_vectors; } diff --git a/vnet/vnet/ipsec/ikev2.c b/vnet/vnet/ipsec/ikev2.c index dd00c9edef3..af9d99dc44c 100644 --- a/vnet/vnet/ipsec/ikev2.c +++ b/vnet/vnet/ipsec/ikev2.c @@ -1677,6 +1677,7 @@ ikev2_node_fn (vlib_main_t * vm, udp_header_t *udp0; ike_header_t *ike0; ikev2_sa_t *sa0 = 0; + ikev2_sa_t sa; /* temporary store for SA */ int len = 0; int r; @@ -1704,7 +1705,6 @@ ikev2_node_fn (vlib_main_t * vm, if (ike0->exchange == IKEV2_EXCHANGE_SA_INIT) { - ikev2_sa_t sa; /* temporary store for SA */ sa0 = &sa; memset (sa0, 0, sizeof (*sa0)); diff --git a/vnet/vnet/ipsec/ipsec_cli.c b/vnet/vnet/ipsec/ipsec_cli.c index f25547003b6..8b15110af0d 100644 --- a/vnet/vnet/ipsec/ipsec_cli.c +++ b/vnet/vnet/ipsec/ipsec_cli.c @@ -171,7 +171,7 @@ ipsec_spd_add_del_command_fn (vlib_main_t * vm, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; - u32 spd_id; + u32 spd_id = ~0; int is_add = ~0; if (!unformat_user (input, unformat_line_input, line_input)) @@ -192,6 +192,9 @@ ipsec_spd_add_del_command_fn (vlib_main_t * vm, unformat_free (line_input); + if (spd_id == ~0) + return clib_error_return (0, "please specify SPD ID"); + ipsec_add_del_spd (vm, spd_id, is_add); return 0; diff --git a/vnet/vnet/ipsec/ipsec_output.c b/vnet/vnet/ipsec/ipsec_output.c index e72890d1239..c27e8e6a0a5 100644 --- a/vnet/vnet/ipsec/ipsec_output.c +++ b/vnet/vnet/ipsec/ipsec_output.c @@ -103,6 +103,9 @@ ipsec_output_policy_match (ipsec_spd_t * spd, u8 pr, u32 la, u32 ra, u16 lp, ipsec_policy_t *p; u32 *i; + if (!spd) + return 0; + vec_foreach (i, spd->ipv4_outbound_policies) { p = pool_elt_at_index (spd->policies, *i); @@ -159,6 +162,9 @@ ipsec_output_ip6_policy_match (ipsec_spd_t * spd, ipsec_policy_t *p; u32 *i; + if (!spd) + return 0; + vec_foreach (i, spd->ipv6_outbound_policies) { p = pool_elt_at_index (spd->policies, *i); @@ -365,7 +371,7 @@ ipsec_output_node_fn (vlib_main_t * vm, from += 1; n_left_from -= 1; - if (PREDICT_FALSE ((last_next_node_index != next_node_index))) + if (PREDICT_FALSE ((last_next_node_index != next_node_index) || f == 0)) { /* if this is not 1st frame */ if (f) |