ipsec: fix ipsec_set_next_index set with wrong sa index when async frame commit failed

Type: fix
Signed-off-by: Xiaoming Jiang <jiangxiaoming@outlook.com>
Change-Id: Ib4c61906a9cbb3eea1214394d164ecffb38fd36d

3 files changed, 39 insertions, 27 deletions

diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h
index 311882af08e..72abb9f0dbd 100644
--- a/src/vnet/ipsec/esp.h
+++ b/src/vnet/ipsec/esp.h
@@ -211,31 +211,6 @@ esp_decrypt_set_next_index (vlib_buffer_t *b, vlib_node_runtime_t *node,
 			drop_next, sa_index);
 }
 
-/* when submitting a frame is failed, drop all buffers in the frame */
-always_inline u32
-esp_async_recycle_failed_submit (vlib_main_t *vm, vnet_crypto_async_frame_t *f,
-				 vlib_node_runtime_t *node, u32 err,
-				 u32 ipsec_sa_err, u16 index, u32 *from,
-				 u16 *nexts, u16 drop_next_index)
-{
-  vlib_buffer_t *b;
-  u32 n_drop = f->n_elts;
-  u32 *bi = f->buffer_indices;
-
-  while (n_drop--)
-    {
-      from[index] = bi[0];
-      b = vlib_get_buffer (vm, bi[0]);
-      ipsec_set_next_index (b, node, vm->thread_index, err, ipsec_sa_err,
-			    index, nexts, drop_next_index,
-			    vnet_buffer (b)->ipsec.sad_index);
-      bi++;
-      index++;
-    }
-
-  return (f->n_elts);
-}
-
 /**
  * The post data structure to for esp_encrypt/decrypt_inline to write to
  * vib_buffer_t opaque unused field, and for post nodes to pick up after
@@ -310,6 +285,43 @@ typedef struct
 extern esp_async_post_next_t esp_encrypt_async_next;
 extern esp_async_post_next_t esp_decrypt_async_next;
 
+/* when submitting a frame is failed, drop all buffers in the frame */
+always_inline u32
+esp_async_recycle_failed_submit (vlib_main_t *vm, vnet_crypto_async_frame_t *f,
+				 vlib_node_runtime_t *node, u32 err,
+				 u32 ipsec_sa_err, u16 index, u32 *from,
+				 u16 *nexts, u16 drop_next_index,
+				 bool is_encrypt)
+{
+  vlib_buffer_t *b;
+  u32 n_drop = f->n_elts;
+  u32 *bi = f->buffer_indices;
+
+  while (n_drop--)
+    {
+      u32 sa_index;
+
+      from[index] = bi[0];
+      b = vlib_get_buffer (vm, bi[0]);
+
+      if (is_encrypt)
+	{
+	  sa_index = vnet_buffer (b)->ipsec.sad_index;
+	}
+      else
+	{
+	  sa_index = esp_post_data (b)->decrypt_data.sa_index;
+	}
+
+      ipsec_set_next_index (b, node, vm->thread_index, err, ipsec_sa_err,
+			    index, nexts, drop_next_index, sa_index);
+      bi++;
+      index++;
+    }
+
+  return (f->n_elts);
+}
+
 #endif /* __ESP_H__ */
 
 /*
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 827d168f98a..6db1fe305c8 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -1246,7 +1246,7 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
 	  n_noop += esp_async_recycle_failed_submit (
 	    vm, *async_frame, node, ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR,
 	    IPSEC_SA_ERROR_CRYPTO_ENGINE_ERROR, n_noop, noop_bi, noop_nexts,
-	    ESP_DECRYPT_NEXT_DROP);
+	    ESP_DECRYPT_NEXT_DROP, false);
 	  vnet_crypto_async_reset_frame (*async_frame);
 	  vnet_crypto_async_free_frame (vm, *async_frame);
 	}
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index 861b3e98650..ea0bf34dba4 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -1088,7 +1088,7 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
 	      n_noop += esp_async_recycle_failed_submit (
 		vm, *async_frame, node, ESP_ENCRYPT_ERROR_CRYPTO_ENGINE_ERROR,
 		IPSEC_SA_ERROR_CRYPTO_ENGINE_ERROR, n_noop, noop_bi,
-		noop_nexts, drop_next);
+		noop_nexts, drop_next, true);
 	      vnet_crypto_async_reset_frame (*async_frame);
 	      vnet_crypto_async_free_frame (vm, *async_frame);
 	    }