From c520fe7ab9db6fa60f9e69be990dd5c83eb40522 Mon Sep 17 00:00:00 2001 From: Benoît Ganne Date: Tue, 29 Oct 2019 11:13:05 +0100 Subject: ipsec: fix esp trace seq number overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Do not copy invalid seq number if packet is too small. Type: fix Change-Id: I1e78f5920e9645521f57efccaf35bbf9ce0676a8 Signed-off-by: Benoît Ganne --- src/vnet/ipsec/ipsec_if_in.c | 12 +++++++++--- src/vnet/ipsec/ipsec_tun_in.c | 4 +++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/src/vnet/ipsec/ipsec_if_in.c b/src/vnet/ipsec/ipsec_if_in.c index f9341d62a68..974227f7a0e 100644 --- a/src/vnet/ipsec/ipsec_if_in.c +++ b/src/vnet/ipsec/ipsec_if_in.c @@ -457,7 +457,9 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, else clib_memcpy (&tr->key4, &key40, sizeof (tr->key4)); tr->is_ip6 = is_ip6; - tr->seq = clib_host_to_net_u32 (esp0->seq); + tr->seq = + len0 >= + sizeof (*esp0) ? clib_host_to_net_u32 (esp0->seq) : ~0; } if (b[1]->flags & VLIB_BUFFER_IS_TRACED) { @@ -468,7 +470,9 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, else clib_memcpy (&tr->key4, &key41, sizeof (tr->key4)); tr->is_ip6 = is_ip6; - tr->seq = clib_host_to_net_u32 (esp1->seq); + tr->seq = + len1 >= + sizeof (*esp1) ? clib_host_to_net_u32 (esp1->seq) : ~0; } } @@ -641,7 +645,9 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, else clib_memcpy (&tr->key4, &key40, sizeof (tr->key4)); tr->is_ip6 = is_ip6; - tr->seq = clib_host_to_net_u32 (esp0->seq); + tr->seq = + len0 >= + sizeof (*esp0) ? clib_host_to_net_u32 (esp0->seq) : ~0; } } diff --git a/src/vnet/ipsec/ipsec_tun_in.c b/src/vnet/ipsec/ipsec_tun_in.c index 04f7a9296ab..d88cc08ddbd 100644 --- a/src/vnet/ipsec/ipsec_tun_in.c +++ b/src/vnet/ipsec/ipsec_tun_in.c @@ -376,7 +376,9 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, else clib_memcpy (&tr->key4, &key40, sizeof (tr->key4)); tr->is_ip6 = is_ip6; - tr->seq = clib_host_to_net_u32 (esp0->seq); + tr->seq = + len0 >= + sizeof (*esp0) ? clib_host_to_net_u32 (esp0->seq) : ~0; } } -- cgit 1.2.3-korg