diff options
author | Steven <sluong@cisco.com> | 2018-04-24 22:43:07 -0700 |
---|---|---|
committer | Damjan Marion <dmarion.lists@gmail.com> | 2018-04-25 16:49:51 +0000 |
commit | 074883a2234c0e3bb60933455f9e93ea4a4f5571 (patch) | |
tree | a808ec4680f3ce28edd82457a1c1ba8fa32a55ea /src/vnet | |
parent | c576622667199db906efa3110ad25e552b3a0890 (diff) |
span: crash in span_mirror [VPP-1254]
It is possible for span-input to get call with sw_if_index which is greater than
sm->interfaces and crashes in span_mirror () in the following line
span_interface_t *si0 = vec_elt_at_index (sm->interfaces, sw_if_index0);
For example, span-input mirrors a main interface as source, it may actually get
call for traffic coming in from the subinterface and crashes.
The fix is simply to check if sw_if_index >= vec_len (sm->interfaces) and
punt if it is.
Change-Id: I8312eb321d638518e14ba2326fffd1a7919646ca
Signed-off-by: Steven <sluong@cisco.com>
(cherry picked from commit 516d63ff2c6671f3b0dc641511a50017a9804179)
Diffstat (limited to 'src/vnet')
-rw-r--r-- | src/vnet/span/node.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/vnet/span/node.c b/src/vnet/span/node.c index 8e2105bcc82..13e92abd5eb 100644 --- a/src/vnet/span/node.c +++ b/src/vnet/span/node.c @@ -70,9 +70,14 @@ span_mirror (vlib_main_t * vm, vlib_node_runtime_t * node, u32 sw_if_index0, vnet_main_t *vnm = &vnet_main; u32 *to_mirror_next = 0; u32 i; + span_interface_t *si0; + span_mirror_t *sm0; - span_interface_t *si0 = vec_elt_at_index (sm->interfaces, sw_if_index0); - span_mirror_t *sm0 = &si0->mirror_rxtx[sf][rxtx]; + if (sw_if_index0 >= vec_len (sm->interfaces)) + return; + + si0 = vec_elt_at_index (sm->interfaces, sw_if_index0); + sm0 = &si0->mirror_rxtx[sf][rxtx]; if (sm0->num_mirror_ports == 0) return; |