From b75bde18c44420021ae9800b584b1c644fed2a87 Mon Sep 17 00:00:00 2001 From: Matthew Smith Date: Thu, 16 Nov 2023 02:27:29 +0000 Subject: ipsec: keep esp encrypt pointer and index synced Type: fix In esp_encrypt_inline(), an index and pointer to the last processed SA are stored. If the next packet uses the same SA, we defer on updating counters until a different SA is encountered. The pointer was being retrieved, then the SA was checked to see if the packet should be dropped due to no crypto/integ algs, then the index was updated. If the check failed, we would skip further processing and now the pointer refers to a different SA than the index. When you have a batch of packets that are encrypted using an SA followed by a packet which is dropped for no algs and then more packets to be encrypted using the original SA, the packets that arrive after the one that was dropped end up being processed using a pointer that refers to the wrong SA data. This can result in a segv. Update the current_sa_index at the same time that the sa0 pointer is updated. Signed-off-by: Matthew Smith Change-Id: I65f1511a37475b4f737f5e1b51749c0a30e88806 (cherry picked from commit dac9e566cd16fc375fff14280b37cb5135584fc6) --- src/vnet/ipsec/esp_encrypt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index a836453b58e..8a1ac7e1ebb 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -690,6 +690,7 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, current_sa_packets = current_sa_bytes = 0; sa0 = ipsec_sa_get (sa_index0); + current_sa_index = sa_index0; if (PREDICT_FALSE ((sa0->crypto_alg == IPSEC_CRYPTO_ALG_NONE && sa0->integ_alg == IPSEC_INTEG_ALG_NONE) && @@ -701,7 +702,6 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, sa_index0); goto trace; } - current_sa_index = sa_index0; vlib_prefetch_combined_counter (&ipsec_sa_counters, thread_index, current_sa_index); -- cgit 1.2.3-korg