From 9be93c8f85d752930566a1d37e9f4841ca78861f Mon Sep 17 00:00:00 2001
From: Ole Troan <ot@cisco.com>
Date: Fri, 28 Sep 2018 14:28:00 +0200
Subject: MAP: Add check for well known ports.

And more unit-tests.

Change-Id: I4667d82d928b7ba8d96b5a5648d464115b3ed216
Signed-off-by: Ole Troan <ot@cisco.com>
---
 src/plugins/map/ip4_map_t.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/plugins')

diff --git a/src/plugins/map/ip4_map_t.c b/src/plugins/map/ip4_map_t.c
index c6b091294bb..a64b767c908 100644
--- a/src/plugins/map/ip4_map_t.c
+++ b/src/plugins/map/ip4_map_t.c
@@ -736,6 +736,14 @@ ip4_map_t (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
 	  ip4_map_t_classify (p0, d0, ip40, ip4_len0, &map_port0, &error0,
 			      &next0);
 
+	  /* Verify that port is not among the well-known ports */
+	  if ((d0->psid_length > 0 && d0->psid_offset > 0)
+	      && (clib_net_to_host_u16 (map_port0) <
+		  (0x1 << (16 - d0->psid_offset))))
+	    {
+	      error0 = MAP_ERROR_SEC_CHECK;
+	    }
+
 	  //Add MAP-T pseudo header in front of the packet
 	  vlib_buffer_advance (p0, -sizeof (*pheader0));
 	  pheader0 = vlib_buffer_get_current (p0);
-- 
cgit 1.2.3-korg