From 2a2e5938a3a019f94b4acf53191bf4a42d72c68a Mon Sep 17 00:00:00 2001
From: Matthew G Smith <mgsmith@netgate.com>
Date: Wed, 22 May 2019 13:34:08 -0500
Subject: IPsec: modify post-decrypt buf len calculation

For tunnel mode, after decryption the buffer length was being adjusted
by adding (iv length + esp header size). Subtract it instead.

Required for BFD to work on an IPsec tunnel interface. BFD verifies
that the amount of received data is the expected size. It drops the
packet if the buffer metadata says that the packet buffer contains
more data than the packet headers say it should.

Change-Id: I3146d5c3cbf1cceccc9989eefbc9a59e604e9975
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
---
 src/vnet/ipsec/esp_decrypt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/vnet/ipsec/esp_decrypt.c')

diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index a66eae7aadd..8272bb0dbcb 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -424,13 +424,13 @@ esp_decrypt_inline (vlib_main_t * vm,
 	    {
 	      next[0] = ESP_DECRYPT_NEXT_IP4_INPUT;
 	      b[0]->current_data = pd->current_data + adv;
-	      b[0]->current_length = pd->current_length + adv - tail;
+	      b[0]->current_length = pd->current_length - adv - tail;
 	    }
 	  else if (f->next_header == IP_PROTOCOL_IPV6)
 	    {
 	      next[0] = ESP_DECRYPT_NEXT_IP6_INPUT;
 	      b[0]->current_data = pd->current_data + adv;
-	      b[0]->current_length = pd->current_length + adv - tail;
+	      b[0]->current_length = pd->current_length - adv - tail;
 	    }
 	  else
 	    {
-- 
cgit 1.2.3-korg