Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I56c4682aef59ed0e69073f9001341c425e65bd48
|
|
Type: fix
two problems;
1 - just because anti-reply is not enabled doesn't mean the high sequence
number should not be used.
- fix, there needs to be some means to detect a wrapped packet, so we
use a window size of 2^30.
2 - The SA object was used as a scratch pad for the high-sequence
number used during decryption. That means that once the batch has been
processed the high-sequence number used is lost. This means it is not
possible to distinguish this case:
if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl))
{
...
if (post_decrypt)
{
if (hi_seq_used == sa->seq_hi)
/* the high sequence number used to succesfully decrypt this
* packet is the same as the last-sequnence number of the SA.
* that means this packet did not cause a wrap.
* this packet is thus out of window and should be dropped */
return 1;
else
/* The packet decrypted with a different high sequence number
* to the SA, that means it is the wrap packet and should be
* accepted */
return 0;
}
- fix: don't use the SA as a scratch pad, use the 'packet_data' - the
same place that is used as the scratch pad for the low sequence number.
other consequences:
- An SA doesn't have seq and last_seq, it has only seq; the sequence
numnber of the last packet tx'd or rx'd.
- there's 64bits of space available on the SA's first cache line. move
the AES CTR mode IV there.
- test the ESN/AR combinations to catch the bugs this fixes. This
doubles the amount of tests, but without AR on they only run for 2
seconds. In the AR tests, the time taken to wait for packets that won't
arrive is dropped from 1 to 0.2 seconds thus reducing the runtime of
these tests from 10-15 to about 5 sceonds.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iaac78905289a272dc01930d70decd8109cf5e7a5
|
|
According to RFC 793, the ACK control bit is always sent once
the connection is established.
Type: fix
Signed-off-by: liuyacan <liuyacan@corp.netease.com>
Change-Id: Id0fe19114a0cc468dbce4c0938b345c2ac339e73
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: If585b9c48f67599c56a8c4b4a5139375bc4287f6
|
|
ipsec4_input_node
ipsec_spd_policy_counters are incremented only for matched inbound
PROTECT actions (:273 and :370). BYPASS + DISCARD actions also have
SPD policy counters that should be incremented on match.
This fix increments the counters for inbound BYPASS and DISCARD actions.
Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iac3c6d344be25ba5326e1ed45115ca299dee5f49
|
|
Type: fix
Signed-off-by: wanghanlin <wanghanlin@corp.netease.com>
Change-Id: Icd2fc3cc2d0a0a6060abfb262044cf9e09ab4ba2
|
|
In stress test case, memset may consume a lot of CPU because
vls_epoll_wait is called very frequently.
Type: improvement
Signed-off-by: wanghanlin <wanghanlin@corp.netease.com>
Change-Id: I9b4e1d6e1c4d7217cf0b2529d8efed792dea7b40
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I3d208f8ef4638e7557929f4b2bca4d640af85baa
|
|
Type: improvement
the rationale being that the del only requires the SA's ID, so it's a
bit mean to require the client to fill out all the other information as
well.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ibbc20405e74d6a0e1a3797465ead5271f15888e4
|
|
If an IPv6 Link Layer Address is missing from an interface,
treat it as a down interface. While this fails to send a
VRRP multicast group join, it also prevents a seg fault.
Type: fix
Fixes: 39e9428b90bc74d1bb15fc17759c8ef6ad712418
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: Iebf69bb30604a96de6587655eb872aa818158a56
|
|
Puts return statements back inside code blocks under the lock
Type: fix
Change-Id: I76d426f336200035026b92bcb0ffe2b472a3142d
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
|
|
Type: fix
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: Ie5c197f6ec0d41d5e405b22662701d83ad94d29e
|
|
Type: fix
Signed-off-by: Xiaoming Jiang <jiangxiaoming@outlook.com>
Change-Id: I2c2b739a5aa246bbf53d6663efd403c3aee9dddd
|
|
Type: fix
Outbound packets which arrive on tun/L3 interfaces use a default
adjacency for the interface & address family from the corresponding
interface pair. However, there are entries in the linux-cp adj table
that are created for them. Managing these entries might cause a
segfault because the rewrite data might exceed the reserved space for
it of 28 bytes in the linux-cp adj key (e.g. in case of GRE IPv6).
With this change, stop creating adjacencies for tun/L3 interfaces in
the linux-cp adj table and delegating them.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I4bcd685860053ab87c65064c182e3ed53fd4fae9
|
|
==283032==AddressSanitizer CHECK failed: compiler-rt/lib/asan/asan_mapping.h:366
"((AddrIsInMem(p))) != (0)" (0x0, 0x0)
#0 0x49c128 in __asan::AsanCheckFailed
#1 0x4ae8dc in __sanitizer::CheckFailed
#2 0x495dec in __asan::ShadowSegmentEndpoint::ShadowSegmentEndpoint
#3 0x495e48 in __asan_unpoison_memory_region
#4 0xfffff4e851f8 in svm_map_region /home/vpp/src/svm/svm.c:611:7
#5 0xfffff4e86d9c in svm_region_init_internal /home/vpp/src/svm/svm.c:797:8
#6 0xfffff4e87ce4 in svm_region_init_args /home/vpp/src/svm/svm.c:880:3
#7 0xfffff7f30d30 in vlibmemory_init /home/vpp/src/vlibmemory/memory_api.c:974:3
#8 0xfffff4fd5368 in vlib_main /home/vpp/src/vlib/main.c:1986:16
svm_global_region_base_va 0x200000000000 is not in the aarch64 mapping range,
leading check failure and vpp cannot start.
aarch64 asan mapping
|| `[0x201000000000, 0xffffffffffff]` || HighMem ||
|| `[0x041200000000, 0x200fffffffff]` || HighShadow ||
|| `[0x001200000000, 0x0411ffffffff]` || ShadowGap ||
|| `[0x001000000000, 0x0011ffffffff]` || LowShadow ||
|| `[0x000000000000, 0x000fffffffff]` || LowMem ||
x86 asan mapping
|| `[0x10007fff8000, 0x7fffffffffff]` || HighMem ||
|| `[0x02008fff7000, 0x10007fff7fff]` || HighShadow ||
|| `[0x00008fff7000, 0x02008fff6fff]` || ShadowGap ||
|| `[0x00007fff8000, 0x00008fff6fff]` || LowShadow ||
|| `[0x000000000000, 0x00007fff7fff]` || LowMem ||
Type: fix
Signed-off-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: I55ddbdcd361d66d4cfaf6459b2fa20fd8b64af37
|
|
Applications like curl will poll the fd after a non-blocking
connect, so we need to avoid returning the wrong event.
Type: fix
Signed-off-by: liuyacan <liuyacan@corp.netease.com>
Change-Id: I7ea146fc954fda631b3d88b46bb80adfbcdf137c
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I7b84767e75d5f8310ec071036a5780fa4530f79f
|
|
Type: improvement
Allow callbacks to be registered which will be called when an
interface pair is added or deleted.
Change-Id: I1c413ac2ada802021f9e56e2f878ce67e5eda2f5
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I4f9316b16f16a48e2042aa17db596bfd181bd314
|
|
Type: fix
Fixes: bf55e9931ce203049385fbf55dde291ead556679
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: I5410a7a5a8cdc1d41abcc42fe5b42e6e2991dc06
|
|
If ICMP comes from a router on path, source address must not be
rewritten in o2i path to avoid getting wrong checksum.
Fix ICMP checksum computations.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I035debccf966d7dbd63c364cb1e43380d641f708
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I148022278a792b3687402b6915fe6fb513858a2a
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I7ec4bbb21a079c6f6adfb4f954054b2b07bf19c5
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I0971f12b7b82d5134d06ed0539d41624429c992b
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I3c06e9cb3fabdcdce9c17e93cfedfd771295f589
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ibe32f7965f8cf457c39845713b029c8a4647ee55
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I047310b8c9fcc51dcfb187710ff59b7895abe217
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I13dae61ddb7150c7fe9a7fd0eae73055ff3f2816
|
|
Type: improvement
Set port type and supported flow actions on 2.5G Intel NICs which are
managed by the igc PMD.
Change-Id: Id144eaa158e24a3f10effb6b517d1c62fba0d2e8
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: Ic7979755494a2fd23b9fa3d74e14f6b9ea0a46d0
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I39505763371c98b75ff7b697dacd3eeb0d41d40a
|
|
ASan poison/unpoison vectors based on the vector length, but _vec_len()
bypass ASan annotations, contrary to vec_set_len().
Type: fix
Change-Id: I5265a5adcddef1aa11c77e0c3827346b1a66c306
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
When copying sessions from parent on fork, we should validate vep handle
in order to EPOLL_CTL_DEL in vcl_session_cleanup correctly when child
exit.
Type: fix
Signed-off-by: wanghanlin <wanghanlin@corp.netease.com>
Change-Id: I7696ecd898460c9a296d2800e46c7140e2218ed7
|
|
Main process may enter sighandler with a lock, such as lock in localtime
or in mspace_free, and child wrk cleanup may try to get such locks and
cause deadlock.
The patch move cleanup to vls_epoll_wait to wait app's next call.
Type: fix
Signed-off-by: wanghanlin <wanghanlin@corp.netease.com>
Change-Id: I9b208038a0f49b0ace44684189234aeac9d94730
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I0a2c1cbbe798ddf9d08da78bf0b458a0f54fa13a
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I0bdf870e2e9b0ebc11a3ce252fbd0667a83de4e6
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I03f51393a92bae45608d9fc9f53164f3b0add3cd
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I1de45c4db57444d2d2c9fb91b8a66a4f01be699b
|
|
TTL was already decremented in ip4-rewrite so it's okay if it's 1.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I587dc343737c15247eb62837a06d5e44c0d11acc
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I0db7343e907524af5adb2f4771b45712927d5833
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: Iacaefbf04834f000a14f151c4b848f280ac46d63
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I5dd30870443a22a7da65f6b5a6d3967991e2aceb
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I7a0a189ce635a4a74e63ac4cb133686b8b7ba53a
|
|
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: Ib563e2c09d46cc26fb983ffde3d5fcb88166f6a5
|
|
In some part of VPP we are accessing memory past what was allocated for
efficiency when we know it is safe to do so. We need to tell ASan about
it so it does not complain.
The initial attempt was too simple and could not manage cases where the
poisoned memory was scattered. This new attempt is more robust as we
save and restore the full shadow state.
Note it will still not work properly if we poison/unpoison memory while
in an overflow context, but this should not be a big issue as overflow
should only be temporary.
Type: fix
Change-Id: I636f44eb59aa8455a4d13929a3791b56619af7b4
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I0994241df94ad7536be323b9d7c48caf38cc4267
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I76be91715953c7cbe704961d1a56c48334656e19
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: Idf0c24c9c8f8f3c267285c6a231c9c1a364a902a
|
|
Use autogenerated code.
Does not change API definitions.
Type: improvement
Change-Id: I864979ce490651bf1f5fed107620e9bc4ca4bf93
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Use autogenerated code
Type: improvement
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: I02f53486723f7ac7e9026ff092b63e86dff13232
|