diff options
author | Matthew Smith <mgsmith@netgate.com> | 2019-07-08 14:45:04 -0500 |
---|---|---|
committer | Neale Ranns <nranns@cisco.com> | 2019-07-12 14:23:28 +0000 |
commit | 401aedfb032d69daa876544e8e0a2973d69c50ac (patch) | |
tree | 4c4caf2f1a84bc0548b5973fc5794bab487e2649 /src/vnet/ipsec/ipsec_if.c | |
parent | 43ba29267b1f1db04cba0af1f994a5c8477ca870 (diff) |
ipsec: drop outbound ESP when no crypto alg set
Type: fix
If a tunnel interface has the crypto alg set on the outbound SA to
IPSEC_CRYPTO_ALG_NONE and packets are sent out that interface,
the attempt to write an ESP trailer on the packet occurs at the
wrong offset and the vnet buffer opaque data is corrupted, which
can result in a SEGV when a subsequent node attempts to use that
data.
When an outbound SA is set on a tunnel interface which has no crypto
alg set, add a node to the ip{4,6}-output feature arcs which drops all
packets leaving that interface instead of adding the node which would
try to encrypt the packets.
Change-Id: Ie0ac8d8fdc8a035ab8bb83b72b6a94161bebaa48
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Diffstat (limited to 'src/vnet/ipsec/ipsec_if.c')
-rw-r--r-- | src/vnet/ipsec/ipsec_if.c | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c index 5fc49e1af4e..562f40ec9ab 100644 --- a/src/vnet/ipsec/ipsec_if.c +++ b/src/vnet/ipsec/ipsec_if.c @@ -234,19 +234,31 @@ static void ipsec_tunnel_feature_set (ipsec_main_t * im, ipsec_tunnel_if_t * t, u8 enable) { u8 arc; + u32 esp4_feature_index, esp6_feature_index; + ipsec_sa_t *sa; + + sa = ipsec_sa_get (t->output_sa_index); + if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE) + { + esp4_feature_index = im->esp4_no_crypto_tun_feature_index; + esp6_feature_index = im->esp6_no_crypto_tun_feature_index; + } + else + { + esp4_feature_index = im->esp4_encrypt_tun_feature_index; + esp6_feature_index = im->esp6_encrypt_tun_feature_index; + } arc = vnet_get_feature_arc_index ("ip4-output"); - vnet_feature_enable_disable_with_index (arc, - im->esp4_encrypt_tun_feature_index, + vnet_feature_enable_disable_with_index (arc, esp4_feature_index, t->sw_if_index, enable, &t->output_sa_index, sizeof (t->output_sa_index)); arc = vnet_get_feature_arc_index ("ip6-output"); - vnet_feature_enable_disable_with_index (arc, - im->esp6_encrypt_tun_feature_index, + vnet_feature_enable_disable_with_index (arc, esp6_feature_index, t->sw_if_index, enable, &t->output_sa_index, sizeof (t->output_sa_index)); @@ -562,6 +574,13 @@ ipsec_tunnel_if_init (vlib_main_t * vm) udp_register_dst_port (vm, UDP_DST_PORT_ipsec, ipsec4_if_input_node.index, 1); + + /* set up feature nodes to drop outbound packets with no crypto alg set */ + ipsec_add_feature ("ip4-output", "esp4-no-crypto", + &im->esp4_no_crypto_tun_feature_index); + ipsec_add_feature ("ip6-output", "esp6-no-crypto", + &im->esp6_no_crypto_tun_feature_index); + return 0; } |