aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/vnet/ipsec/ipsec_tun.c6
-rw-r--r--src/vnet/ipsec/ipsec_tun.h4
2 files changed, 9 insertions, 1 deletions
diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c
index 07dd9ea409b..268f7783ebf 100644
--- a/src/vnet/ipsec/ipsec_tun.c
+++ b/src/vnet/ipsec/ipsec_tun.c
@@ -626,6 +626,12 @@ ipsec_tun_protect_update (u32 sw_if_index,
format_vnet_sw_if_index_name, vnet_get_main (), sw_if_index,
format_ip_address, nh);
+ if (vec_len (sas_in) > ITP_MAX_N_SA_IN)
+ {
+ rv = VNET_API_ERROR_LIMIT_EXCEEDED;
+ goto out;
+ }
+
rv = 0;
im = &ipsec_main;
if (NULL == nh)
diff --git a/src/vnet/ipsec/ipsec_tun.h b/src/vnet/ipsec/ipsec_tun.h
index 863afdbba5a..90f299668dc 100644
--- a/src/vnet/ipsec/ipsec_tun.h
+++ b/src/vnet/ipsec/ipsec_tun.h
@@ -59,6 +59,8 @@ typedef struct ipsec_ep_t_
ip46_address_t dst;
} ipsec_ep_t;
+#define ITP_MAX_N_SA_IN 4
+
typedef struct ipsec_tun_protect_t_
{
CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
@@ -67,7 +69,7 @@ typedef struct ipsec_tun_protect_t_
/* not using a vector since we want the memory inline
* with this struct */
u32 itp_n_sa_in;
- index_t itp_in_sas[4];
+ index_t itp_in_sas[ITP_MAX_N_SA_IN];
u32 itp_sw_if_index;