From b753554e25d59e684288c03af261bb690e4b0a66 Mon Sep 17 00:00:00 2001
From: Fan Zhang <fanzhang.oss@gmail.com>
Date: Wed, 17 Jul 2024 16:08:12 +0100
Subject: ipsec: fix integer overflow

Type: fix
Coverity issue: 394440

Change-Id: I915a088145ee1317a7c8746b517f4af50323aa11
Signed-off-by: Fan Zhang <fanzhang.oss@gmail.com>
---
 src/vnet/ipsec/ipsec_sa.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/vnet')

diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index 4f73f1eab0f..640d9288a42 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -486,7 +486,7 @@ ipsec_sa_anti_replay_and_sn_advance (const ipsec_sa_t *sa, u32 seq,
       return 0;
     }
 
-  if (PREDICT_TRUE (sa->seq >= window_size - 1))
+  if (PREDICT_TRUE (window_size > 0 && sa->seq >= window_size - 1))
     {
       /*
        * the last sequence number VPP received is more than one
-- 
cgit 1.2.3-korg