summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteven <sluong@cisco.com>2018-04-24 22:43:07 -0700
committerSteven <sluong@cisco.com>2018-04-24 22:47:44 -0700
commit516d63ff2c6671f3b0dc641511a50017a9804179 (patch)
treeeb4d0e8b12d107ec1a35cdacd9201ef63b9ba63f
parent6e4f40b6a9635df83cbafae348ab72017861fa8b (diff)
span: crash in span_mirror [VPP-1254]
It is possible for span-input to get call with sw_if_index which is greater than sm->interfaces and crashes in span_mirror () in the following line span_interface_t *si0 = vec_elt_at_index (sm->interfaces, sw_if_index0); For example, span-input mirrors a main interface as source, it may actually get call for traffic coming in from the subinterface and crashes. The fix is simply to check if sw_if_index >= vec_len (sm->interfaces) and punt if it is. Change-Id: I8312eb321d638518e14ba2326fffd1a7919646ca Signed-off-by: Steven <sluong@cisco.com>
-rw-r--r--src/vnet/span/node.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/src/vnet/span/node.c b/src/vnet/span/node.c
index 8e2105bcc82..13e92abd5eb 100644
--- a/src/vnet/span/node.c
+++ b/src/vnet/span/node.c
@@ -70,9 +70,14 @@ span_mirror (vlib_main_t * vm, vlib_node_runtime_t * node, u32 sw_if_index0,
vnet_main_t *vnm = &vnet_main;
u32 *to_mirror_next = 0;
u32 i;
+ span_interface_t *si0;
+ span_mirror_t *sm0;
- span_interface_t *si0 = vec_elt_at_index (sm->interfaces, sw_if_index0);
- span_mirror_t *sm0 = &si0->mirror_rxtx[sf][rxtx];
+ if (sw_if_index0 >= vec_len (sm->interfaces))
+ return;
+
+ si0 = vec_elt_at_index (sm->interfaces, sw_if_index0);
+ sm0 = &si0->mirror_rxtx[sf][rxtx];
if (sm0->num_mirror_ports == 0)
return;