summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-04-18 17:18:12 -0700
committerFlorin Coras <florin.coras@gmail.com>2019-04-19 03:58:34 +0000
commitd207fd7e25f1f0b27acf3dc57c93b1339eb6efff (patch)
tree850bb052dd62b1be4ea5ba1bd285292369f9af29
parentd35abc4c674f9540d9b0c49dead21328cf57e08d (diff)
IPSEC: ESP IPv6 transport mode payload length incorrect (VPP-1653)
Change-Id: I8977100d7a22b50260858bd1ea9db419b53284ff Signed-off-by: Neale Ranns <nranns@cisco.com>
-rw-r--r--src/vnet/ipsec/esp_encrypt.c4
-rw-r--r--test/template_ipsec.py4
2 files changed, 7 insertions, 1 deletions
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index e319a9628f4..f1153d92e8c 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -402,7 +402,9 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
ip6_header_t *ip6 = (ip6_header_t *) (ip_hdr);
*next_hdr_ptr = ip6->protocol;
ip6->protocol = IP_PROTOCOL_IPSEC_ESP;
- ip6->payload_length = payload_len + hdr_len - l2_len - ip_len;
+ ip6->payload_length =
+ clib_host_to_net_u16 (payload_len + hdr_len - l2_len -
+ ip_len);
}
else
{
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index d6641c45dd1..17470d93e3a 100644
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -463,6 +463,8 @@ class IpsecTra6(object):
recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
self.tra_if)
for rx in recv_pkts:
+ self.assertEqual(len(rx) - len(Ether()) - len(IPv6()),
+ rx[IPv6].plen)
try:
decrypted = p.vpp_tra_sa.decrypt(rx[IPv6])
self.assert_packet_checksums_valid(decrypted)
@@ -660,6 +662,8 @@ class IpsecTun6(object):
count=count)
recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
for recv_pkt in recv_pkts:
+ self.assertEqual(len(recv_pkt) - len(Ether()) - len(IPv6()),
+ recv_pkt[IPv6].plen)
try:
decrypt_pkt = p.vpp_tun_sa.decrypt(recv_pkt[IPv6])
if not decrypt_pkt.haslayer(IPv6):