[2/3] examples/ipsec_secgw: fix possible NULL dereference
Checks
Commit Message
Fixes: 3e5f4625dc17 ("examples/ipsec-secgw: make data-path to use IPsec library")
Coverity issue: 336844
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
examples/ipsec-secgw/ipsec_process.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
Comments
Hi Konstantin,
On 3/27/2019 3:03 PM, Konstantin Ananyev wrote:
> Fixes: 3e5f4625dc17 ("examples/ipsec-secgw: make data-path to use IPsec library")
> Coverity issue: 336844
>
> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> ---
> examples/ipsec-secgw/ipsec_process.c | 11 ++++-------
> 1 file changed, 4 insertions(+), 7 deletions(-)
>
> diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c
> index e403c461a..3f9cacb8f 100644
> --- a/examples/ipsec-secgw/ipsec_process.c
> +++ b/examples/ipsec-secgw/ipsec_process.c
> @@ -217,16 +217,11 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
> pg = grp + i;
> sa = pg->id.ptr;
>
> - /* no valid SA found */
> - if (sa == NULL)
> - k = 0;
> -
> ips = &sa->ips;
I think this is not fixing the NULL dereference properly. This line
would give fault if sa is null.
> - satp = rte_ipsec_sa_type(ips->sa);
>
> /* no valid HW session for that SA, try to create one */
> - if (ips->crypto.ses == NULL &&
> - fill_ipsec_session(ips, ctx, sa) != 0)
> + if (sa == NULL || (ips->crypto.ses == NULL &&
> + fill_ipsec_session(ips, ctx, sa) != 0))
> k = 0;
>
> /* process packets inline */
> @@ -234,6 +229,8 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
> sa->type ==
> RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
>
> + satp = rte_ipsec_sa_type(ips->sa);
> +
> /*
> * This is just to satisfy inbound_sa_check()
> * and get_hop_for_offload_pkt().
Hi Akhil,
> > Fixes: 3e5f4625dc17 ("examples/ipsec-secgw: make data-path to use IPsec library")
> > Coverity issue: 336844
> >
> > Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> > ---
> > examples/ipsec-secgw/ipsec_process.c | 11 ++++-------
> > 1 file changed, 4 insertions(+), 7 deletions(-)
> >
> > diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c
> > index e403c461a..3f9cacb8f 100644
> > --- a/examples/ipsec-secgw/ipsec_process.c
> > +++ b/examples/ipsec-secgw/ipsec_process.c
> > @@ -217,16 +217,11 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
> > pg = grp + i;
> > sa = pg->id.ptr;
> >
> > - /* no valid SA found */
> > - if (sa == NULL)
> > - k = 0;
> > -
> > ips = &sa->ips;
> I think this is not fixing the NULL dereference properly. This line
> would give fault if sa is null.
I don't think it would - here we just get an address of ips,
we don't try to access it.
Konstantin
> > - satp = rte_ipsec_sa_type(ips->sa);
> >
> > /* no valid HW session for that SA, try to create one */
> > - if (ips->crypto.ses == NULL &&
> > - fill_ipsec_session(ips, ctx, sa) != 0)
> > + if (sa == NULL || (ips->crypto.ses == NULL &&
> > + fill_ipsec_session(ips, ctx, sa) != 0))
> > k = 0;
> >
> > /* process packets inline */
> > @@ -234,6 +229,8 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
> > sa->type ==
> > RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
> >
> > + satp = rte_ipsec_sa_type(ips->sa);
> > +
> > /*
> > * This is just to satisfy inbound_sa_check()
> > * and get_hop_for_offload_pkt().
On 3/27/2019 6:49 PM, Ananyev, Konstantin wrote:
> Hi Akhil,
>
>>> Fixes: 3e5f4625dc17 ("examples/ipsec-secgw: make data-path to use IPsec library")
>>> Coverity issue: 336844
>>>
>>> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
>>> ---
>>> examples/ipsec-secgw/ipsec_process.c | 11 ++++-------
>>> 1 file changed, 4 insertions(+), 7 deletions(-)
>>>
>>> diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c
>>> index e403c461a..3f9cacb8f 100644
>>> --- a/examples/ipsec-secgw/ipsec_process.c
>>> +++ b/examples/ipsec-secgw/ipsec_process.c
>>> @@ -217,16 +217,11 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
>>> pg = grp + i;
>>> sa = pg->id.ptr;
>>>
>>> - /* no valid SA found */
>>> - if (sa == NULL)
>>> - k = 0;
>>> -
>>> ips = &sa->ips;
>> I think this is not fixing the NULL dereference properly. This line
>> would give fault if sa is null.
> I don't think it would - here we just get an address of ips,
> we don't try to access it.
> Konstantin
ok got it.. I missed the '&'..
>
>>> - satp = rte_ipsec_sa_type(ips->sa);
>>>
>>> /* no valid HW session for that SA, try to create one */
>>> - if (ips->crypto.ses == NULL &&
>>> - fill_ipsec_session(ips, ctx, sa) != 0)
>>> + if (sa == NULL || (ips->crypto.ses == NULL &&
>>> + fill_ipsec_session(ips, ctx, sa) != 0))
>>> k = 0;
>>>
>>> /* process packets inline */
>>> @@ -234,6 +229,8 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
>>> sa->type ==
>>> RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
>>>
>>> + satp = rte_ipsec_sa_type(ips->sa);
>>> +
>>> /*
>>> * This is just to satisfy inbound_sa_check()
>>> * and get_hop_for_offload_pkt().
@@ -217,16 +217,11 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
pg = grp + i;
sa = pg->id.ptr;
- /* no valid SA found */
- if (sa == NULL)
- k = 0;
-
ips = &sa->ips;
- satp = rte_ipsec_sa_type(ips->sa);
/* no valid HW session for that SA, try to create one */
- if (ips->crypto.ses == NULL &&
- fill_ipsec_session(ips, ctx, sa) != 0)
+ if (sa == NULL || (ips->crypto.ses == NULL &&
+ fill_ipsec_session(ips, ctx, sa) != 0))
k = 0;
/* process packets inline */
@@ -234,6 +229,8 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf)
sa->type ==
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
+ satp = rte_ipsec_sa_type(ips->sa);
+
/*
* This is just to satisfy inbound_sa_check()
* and get_hop_for_offload_pkt().