summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec_if.c
diff options
context:
space:
mode:
authorMatthew Smith <mgsmith@netgate.com>2019-07-08 14:45:04 -0500
committerNeale Ranns <nranns@cisco.com>2019-07-12 14:23:28 +0000
commit401aedfb032d69daa876544e8e0a2973d69c50ac (patch)
tree4c4caf2f1a84bc0548b5973fc5794bab487e2649 /src/vnet/ipsec/ipsec_if.c
parent43ba29267b1f1db04cba0af1f994a5c8477ca870 (diff)
ipsec: drop outbound ESP when no crypto alg set
Type: fix If a tunnel interface has the crypto alg set on the outbound SA to IPSEC_CRYPTO_ALG_NONE and packets are sent out that interface, the attempt to write an ESP trailer on the packet occurs at the wrong offset and the vnet buffer opaque data is corrupted, which can result in a SEGV when a subsequent node attempts to use that data. When an outbound SA is set on a tunnel interface which has no crypto alg set, add a node to the ip{4,6}-output feature arcs which drops all packets leaving that interface instead of adding the node which would try to encrypt the packets. Change-Id: Ie0ac8d8fdc8a035ab8bb83b72b6a94161bebaa48 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Diffstat (limited to 'src/vnet/ipsec/ipsec_if.c')
-rw-r--r--src/vnet/ipsec/ipsec_if.c27
1 files changed, 23 insertions, 4 deletions
diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c
index 5fc49e1af4e..562f40ec9ab 100644
--- a/src/vnet/ipsec/ipsec_if.c
+++ b/src/vnet/ipsec/ipsec_if.c
@@ -234,19 +234,31 @@ static void
ipsec_tunnel_feature_set (ipsec_main_t * im, ipsec_tunnel_if_t * t, u8 enable)
{
u8 arc;
+ u32 esp4_feature_index, esp6_feature_index;
+ ipsec_sa_t *sa;
+
+ sa = ipsec_sa_get (t->output_sa_index);
+ if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE)
+ {
+ esp4_feature_index = im->esp4_no_crypto_tun_feature_index;
+ esp6_feature_index = im->esp6_no_crypto_tun_feature_index;
+ }
+ else
+ {
+ esp4_feature_index = im->esp4_encrypt_tun_feature_index;
+ esp6_feature_index = im->esp6_encrypt_tun_feature_index;
+ }
arc = vnet_get_feature_arc_index ("ip4-output");
- vnet_feature_enable_disable_with_index (arc,
- im->esp4_encrypt_tun_feature_index,
+ vnet_feature_enable_disable_with_index (arc, esp4_feature_index,
t->sw_if_index, enable,
&t->output_sa_index,
sizeof (t->output_sa_index));
arc = vnet_get_feature_arc_index ("ip6-output");
- vnet_feature_enable_disable_with_index (arc,
- im->esp6_encrypt_tun_feature_index,
+ vnet_feature_enable_disable_with_index (arc, esp6_feature_index,
t->sw_if_index, enable,
&t->output_sa_index,
sizeof (t->output_sa_index));
@@ -562,6 +574,13 @@ ipsec_tunnel_if_init (vlib_main_t * vm)
udp_register_dst_port (vm, UDP_DST_PORT_ipsec, ipsec4_if_input_node.index,
1);
+
+ /* set up feature nodes to drop outbound packets with no crypto alg set */
+ ipsec_add_feature ("ip4-output", "esp4-no-crypto",
+ &im->esp4_no_crypto_tun_feature_index);
+ ipsec_add_feature ("ip6-output", "esp6-no-crypto",
+ &im->esp6_no_crypto_tun_feature_index);
+
return 0;
}