From 0c1454c1f3abfdbcf9ceb9cdbd4e3596a94d6a0f Mon Sep 17 00:00:00 2001 From: Xiaoming Jiang Date: Fri, 5 May 2023 02:28:20 +0000 Subject: ipsec: fix ipsec_set_next_index set with wrong sa index when async frame commit failed Type: fix Signed-off-by: Xiaoming Jiang Change-Id: Ib4c61906a9cbb3eea1214394d164ecffb38fd36d --- src/vnet/ipsec/esp.h | 62 ++++++++++++++++++++++++++------------------ src/vnet/ipsec/esp_decrypt.c | 2 +- src/vnet/ipsec/esp_encrypt.c | 2 +- 3 files changed, 39 insertions(+), 27 deletions(-) (limited to 'src/vnet/ipsec') diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h index 311882af08e..72abb9f0dbd 100644 --- a/src/vnet/ipsec/esp.h +++ b/src/vnet/ipsec/esp.h @@ -211,31 +211,6 @@ esp_decrypt_set_next_index (vlib_buffer_t *b, vlib_node_runtime_t *node, drop_next, sa_index); } -/* when submitting a frame is failed, drop all buffers in the frame */ -always_inline u32 -esp_async_recycle_failed_submit (vlib_main_t *vm, vnet_crypto_async_frame_t *f, - vlib_node_runtime_t *node, u32 err, - u32 ipsec_sa_err, u16 index, u32 *from, - u16 *nexts, u16 drop_next_index) -{ - vlib_buffer_t *b; - u32 n_drop = f->n_elts; - u32 *bi = f->buffer_indices; - - while (n_drop--) - { - from[index] = bi[0]; - b = vlib_get_buffer (vm, bi[0]); - ipsec_set_next_index (b, node, vm->thread_index, err, ipsec_sa_err, - index, nexts, drop_next_index, - vnet_buffer (b)->ipsec.sad_index); - bi++; - index++; - } - - return (f->n_elts); -} - /** * The post data structure to for esp_encrypt/decrypt_inline to write to * vib_buffer_t opaque unused field, and for post nodes to pick up after @@ -310,6 +285,43 @@ typedef struct extern esp_async_post_next_t esp_encrypt_async_next; extern esp_async_post_next_t esp_decrypt_async_next; +/* when submitting a frame is failed, drop all buffers in the frame */ +always_inline u32 +esp_async_recycle_failed_submit (vlib_main_t *vm, vnet_crypto_async_frame_t *f, + vlib_node_runtime_t *node, u32 err, + u32 ipsec_sa_err, u16 index, u32 *from, + u16 *nexts, u16 drop_next_index, + bool is_encrypt) +{ + vlib_buffer_t *b; + u32 n_drop = f->n_elts; + u32 *bi = f->buffer_indices; + + while (n_drop--) + { + u32 sa_index; + + from[index] = bi[0]; + b = vlib_get_buffer (vm, bi[0]); + + if (is_encrypt) + { + sa_index = vnet_buffer (b)->ipsec.sad_index; + } + else + { + sa_index = esp_post_data (b)->decrypt_data.sa_index; + } + + ipsec_set_next_index (b, node, vm->thread_index, err, ipsec_sa_err, + index, nexts, drop_next_index, sa_index); + bi++; + index++; + } + + return (f->n_elts); +} + #endif /* __ESP_H__ */ /* diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index 827d168f98a..6db1fe305c8 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -1246,7 +1246,7 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, n_noop += esp_async_recycle_failed_submit ( vm, *async_frame, node, ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR, IPSEC_SA_ERROR_CRYPTO_ENGINE_ERROR, n_noop, noop_bi, noop_nexts, - ESP_DECRYPT_NEXT_DROP); + ESP_DECRYPT_NEXT_DROP, false); vnet_crypto_async_reset_frame (*async_frame); vnet_crypto_async_free_frame (vm, *async_frame); } diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 861b3e98650..ea0bf34dba4 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -1088,7 +1088,7 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, n_noop += esp_async_recycle_failed_submit ( vm, *async_frame, node, ESP_ENCRYPT_ERROR_CRYPTO_ENGINE_ERROR, IPSEC_SA_ERROR_CRYPTO_ENGINE_ERROR, n_noop, noop_bi, - noop_nexts, drop_next); + noop_nexts, drop_next, true); vnet_crypto_async_reset_frame (*async_frame); vnet_crypto_async_free_frame (vm, *async_frame); } -- cgit 1.2.3-korg