examples/ipsec-secgw: fix corner case for SPI value

IPSec application is using index 0 of SA table as error, with current value of IPSEC_SA_MAX_ENTRIES(128) it can not support SA with spi = 128, as it uses sa_idx = 0 in the SA table. With this patch, sa_idx = 0 can also be used. PS: spi = 0 is an invalid SPI and application throws error for it. Fixes: d299106e8e31 ("examples/ipsec-secgw: add IPsec sample application") Cc: stable@dpdk.org Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com> Acked-by: Radu Nicolau <radu.nicolau@intel.com>
2018-01-11 17:25:36 +05:30 · 2018-01-11 17:25:36 +05:30 · 2a5106af13
commit 2a5106af13
parent 84d4b5e4ec
2 changed files with 6 additions and 3 deletions
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@ -422,7 +422,8 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip,
 		}

 		sa_idx = ip->res[i] & PROTECT_MASK;
-		if (sa_idx == 0 || !inbound_sa_check(sa, m, sa_idx)) {
+		if (sa_idx >= IPSEC_SA_MAX_ENTRIES ||
+				!inbound_sa_check(sa, m, sa_idx)) {
 			rte_pktmbuf_free(m);
 			continue;
 		}
@ -487,9 +488,9 @@ outbound_sp(struct sp_ctx *sp, struct traffic_type *ip,
 	for (i = 0; i < ip->num; i++) {
 		m = ip->pkts[i];
 		sa_idx = ip->res[i] & PROTECT_MASK;
-		if ((ip->res[i] == 0) || (ip->res[i] & DISCARD))
+		if (ip->res[i] & DISCARD)
 			rte_pktmbuf_free(m);
-		else if (sa_idx != 0) {
+		else if (sa_idx < IPSEC_SA_MAX_ENTRIES) {
 			ipsec->res[ipsec->num] = sa_idx;
 			ipsec->pkts[ipsec->num++] = m;
 		} else /* BYPASS */
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@ -240,6 +240,8 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 	APP_CHECK_TOKEN_IS_NUM(tokens, 1, status);
 	if (status->status < 0)
 		return;
+	if (atoi(tokens[1]) == INVALID_SPI)
+		return;
 	rule->spi = atoi(tokens[1]);

 	for (ti = 2; ti < n_tokens; ti++) {