MAP: Add check for well known ports.

And more unit-tests. Change-Id: I4667d82d928b7ba8d96b5a5648d464115b3ed216 Signed-off-by: Ole Troan <ot@cisco.com>
author: Ole Troan <ot@cisco.com> 2018-09-28 14:28:00 +0200
committer: Ole Troan <ot@cisco.com> 2018-09-28 18:19:56 +0200
commit: 9be93c8f85d752930566a1d37e9f4841ca78861f (patch)
tree: 72ac20efdf13e24efee4df9463db05baad5c43bd /src/plugins/map/ip4_map_t.c
parent: bf4d126b811c6ad00068fd04af652c982dc289c1 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/plugins/map/ip4_map_t.c b/src/plugins/map/ip4_map_t.c
index c6b091294bb..a64b767c908 100644
--- a/src/plugins/map/ip4_map_t.c
+++ b/src/plugins/map/ip4_map_t.c
@@ -736,6 +736,14 @@ ip4_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
 	  ip4_map_t_classify (p0, d0, ip40, ip4_len0, &map_port0, &error0,
 			      &next0);
 
+	  /* Verify that port is not among the well-known ports */
+	  if ((d0->psid_length > 0 && d0->psid_offset > 0)
+	      && (clib_net_to_host_u16 (map_port0) <
+		  (0x1 << (16 - d0->psid_offset))))
+	    {
+	      error0 = MAP_ERROR_SEC_CHECK;
+	    }
+
 	  //Add MAP-T pseudo header in front of the packet
 	  vlib_buffer_advance (p0, -sizeof (*pheader0));
 	  pheader0 = vlib_buffer_get_current (p0);
author	Ole Troan <ot@cisco.com>	2018-09-28 14:28:00 +0200
committer	Ole Troan <ot@cisco.com>	2018-09-28 18:19:56 +0200
commit	9be93c8f85d752930566a1d37e9f4841ca78861f (patch)
tree	72ac20efdf13e24efee4df9463db05baad5c43bd /src/plugins/map/ip4_map_t.c
parent	bf4d126b811c6ad00068fd04af652c982dc289c1 (diff)