aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec_tun.h
diff options
context:
space:
mode:
authorMatthew Smith <mgsmith@netgate.com>2020-04-10 20:27:33 -0500
committerNeale Ranns <nranns@cisco.com>2020-04-14 07:37:28 +0000
commitdc3e9664858df680accca7324299b633bf60397d (patch)
tree3da66ff699fb4971d8272ff127070ca384c37c76 /src/vnet/ipsec/ipsec_tun.h
parent4fde4ae0363de45d867eb3472e43b89ae34d3bd1 (diff)
ipsec: validate number of input sas
Type: fix There is a statically allocated array for inbound SAs which can hold 4 IDs. The input parameter containing the IDs of th inbound SAs is a vector and Its possible to pass a vector with more than 4 elements and write the memory past the end of the array. Fail if more than 4 SAs are passed in the vector. Change-Id: I0c9d321c902d6366b8aff816d04e343dcbd110eb Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Diffstat (limited to 'src/vnet/ipsec/ipsec_tun.h')
-rw-r--r--src/vnet/ipsec/ipsec_tun.h4
1 files changed, 3 insertions, 1 deletions
diff --git a/src/vnet/ipsec/ipsec_tun.h b/src/vnet/ipsec/ipsec_tun.h
index 863afdbba5a..90f299668dc 100644
--- a/src/vnet/ipsec/ipsec_tun.h
+++ b/src/vnet/ipsec/ipsec_tun.h
@@ -59,6 +59,8 @@ typedef struct ipsec_ep_t_
ip46_address_t dst;
} ipsec_ep_t;
+#define ITP_MAX_N_SA_IN 4
+
typedef struct ipsec_tun_protect_t_
{
CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
@@ -67,7 +69,7 @@ typedef struct ipsec_tun_protect_t_
/* not using a vector since we want the memory inline
* with this struct */
u32 itp_n_sa_in;
- index_t itp_in_sas[4];
+ index_t itp_in_sas[ITP_MAX_N_SA_IN];
u32 itp_sw_if_index;
g { color: #dd7700 } /* Name.Variable.Global */ .highlight .vi { color: #3333bb } /* Name.Variable.Instance */ .highlight .vm { color: #336699 } /* Name.Variable.Magic */ .highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */
/*
  Copyright (c) 2017 Cisco and/or its affiliates.

  * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
*/

/*
 * Note: to instantiate the template multiple times in a single file,
 * #undef __included_cuckoo_template_h__...
 */
#ifndef __included_cuckoo_common_h__
#define __included_cuckoo_common_h__

#include <vppinfra/types.h>

#define CLIB_CUCKOO_OPTIMIZE_PREFETCH 1
#define CLIB_CUCKOO_OPTIMIZE_CMP_REDUCED_HASH 1
#define CLIB_CUCKOO_OPTIMIZE_UNROLL 1
#define CLIB_CUCKOO_OPTIMIZE_USE_COUNT_LIMITS_SEARCH 1

#define foreach_clib_cuckoo_error(F)                \
  F (CLIB_CUCKOO_ERROR_SUCCESS, 0, "success")             \
  F (CLIB_CUCKOO_ERROR_NOT_FOUND, -1, "object not found") \
  F (CLIB_CUCKOO_ERROR_AGAIN, -2, "object busy")

typedef enum
{
#define F(n, v, s) n = v,
  foreach_clib_cuckoo_error (F)
#undef F
} clib_cuckoo_error_e;

typedef struct
{
  uword bucket1;
  uword bucket2;
  u8 reduced_hash;
} clib_cuckoo_lookup_info_t;

#endif /* __included_cuckoo_common_h__ */

/** @endcond */

/*
 * fd.io coding-style-patch-verification: ON
 *
 * Local Variables:
 * eval: (c-set-style "gnu")
 * End:
 */