From 943fb1559396016ea452cb07f169e0d4c28760bf Mon Sep 17 00:00:00 2001
From: Dave Barach <dave@barachs.net>
Date: Wed, 8 Apr 2020 12:03:32 -0400
Subject: ping: fix buffer allocator error handling

The code sets f->n_vectors = n_to_send, but it can bail out of the
loop if vlib_buffer_copy(...) returns 0.

Need to fix f->n_vectors in the error return path, or we enqueue some
number of 0xfefefefe buffer indices in a debug image or worse in a
production image.

Type: fix

Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I2d886266006c6c1c2f9ef8e3b95eb46ac6c0b3df
(cherry picked from commit 8324c55f95dd5ddbf1f5f9c47907204a12e152ef)
---
 src/plugins/ping/ping.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/plugins/ping/ping.c b/src/plugins/ping/ping.c
index 7045648d872..f56f44ffb26 100755
--- a/src/plugins/ping/ping.c
+++ b/src/plugins/ping/ping.c
@@ -933,6 +933,8 @@ ip46_enqueue_packet (vlib_main_t * vm, vlib_buffer_t * b0, u32 burst,
    * we did not enqueue it here yet.
    */
 ship_and_ret:
+  ASSERT (n_to_send <= f->n_vectors);
+  f->n_vectors -= n_to_send;
   n_sent += f->n_vectors;
   vlib_put_frame_to_node (vm, lookup_node_index, f);
   return n_sent;
-- 
cgit 1.2.3-korg