From 5e62c84bb7058b58d9f0fa3b5eff9af93c073274 Mon Sep 17 00:00:00 2001
From: Dave Barach <dave@barachs.net>
Date: Wed, 8 Apr 2020 12:03:32 -0400
Subject: ping: fix buffer allocator error handling

The code sets f->n_vectors = n_to_send, but it can bail out of the
loop if vlib_buffer_copy(...) returns 0.

Need to fix f->n_vectors in the error return path, or we enqueue some
number of 0xfefefefe buffer indices in a debug image or worse in a
production image.

Type: fix

Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I2d886266006c6c1c2f9ef8e3b95eb46ac6c0b3df
(cherry picked from commit 8324c55f95dd5ddbf1f5f9c47907204a12e152ef)
---
 src/plugins/ping/ping.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/plugins/ping/ping.c b/src/plugins/ping/ping.c
index 7d503774a30..f0b33cd0ed3 100755
--- a/src/plugins/ping/ping.c
+++ b/src/plugins/ping/ping.c
@@ -727,6 +727,8 @@ ip46_enqueue_packet (vlib_main_t * vm, vlib_buffer_t * b0, u32 burst,
    * we did not enqueue it here yet.
    */
 ship_and_ret:
+  ASSERT (n_to_send <= f->n_vectors);
+  f->n_vectors -= n_to_send;
   n_sent += f->n_vectors;
   vlib_put_frame_to_node (vm, lookup_node_index, f);
   return n_sent;
-- 
cgit 1.2.3-korg