[v2,3/5] linux-gen: ipsec: fix SA leak in lookup case

Message ID	1517238014-22220-4-git-send-email-odpbot@yandex.ru
State	New
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; From: Github ODP bot <odpbot@yandex.ru> To: lng-odp@lists.linaro.org Date: Mon, 29 Jan 2018 18:00:12 +0300 Message-Id: <1517238014-22220-4-git-send-email-odpbot@yandex.ru> In-Reply-To: <1517238014-22220-1-git-send-email-odpbot@yandex.ru> References: <1517238014-22220-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 427 Subject: [lng-odp] [PATCH v2 3/5] linux-gen: ipsec: fix SA leak in lookup case Precedence: list Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" <lng-odp-bounces@lists.linaro.org>
Series	[v2,1/5] linux-gen: ipsec: disallow using SAs while they are being created \| expand [v2,1/5] linux-gen: ipsec: disallow using SAs while they are being created [v2,2/5] linux-gen: ipsec: fix SA leak in odp_ipsec_sa_create [v2,3/5] linux-gen: ipsec: fix SA leak in lookup case [v2,4/5] linux-gen: ipsec: prevent sa_lookup from matching outbound SAs [v2,5/5] linux-gen: ipsec: fix SA leak in SA creation

Message ID

1517238014-22220-4-git-send-email-odpbot@yandex.ru

State

New

Headers

Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org
	designates 54.197.127.237 as permitted sender)
	client-ip=54.197.127.237; 
From: Github ODP bot <odpbot@yandex.ru>
To: lng-odp@lists.linaro.org
Date: Mon, 29 Jan 2018 18:00:12 +0300
Message-Id: <1517238014-22220-4-git-send-email-odpbot@yandex.ru>
In-Reply-To: <1517238014-22220-1-git-send-email-odpbot@yandex.ru>
References: <1517238014-22220-1-git-send-email-odpbot@yandex.ru>
Github-pr-num: 427
Subject: [lng-odp] [PATCH v2 3/5] linux-gen: ipsec: fix SA leak in lookup
	case
Precedence: list
Errors-To: lng-odp-bounces@lists.linaro.org
Sender: "lng-odp" <lng-odp-bounces@lists.linaro.org>

Series

[v2,1/5] linux-gen: ipsec: disallow using SAs while they are being created | expand

Commit Message

Github ODP bot Jan. 29, 2018, 3 p.m. UTC

From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>


SA lookup can leave SAs locked if multiple SAs matched the LOOKUP_SPI
case. Follow that case if we have no 'best' option.

Fixes: https://bugs.linaro.org/show_bug.cgi?id=3595
Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

---
/** Email created from pull request 427 (lumag:ipsec-fix-sad)
 ** https://github.com/Linaro/odp/pull/427
 ** Patch: https://github.com/Linaro/odp/pull/427.patch
 ** Base sha: 27480d82bd93a881ae683a3c314c11042a68ce29
 ** Merge commit sha: 67c9dbf28c41ea7a53782ba841276b03f154c4ef
 **/
 platform/linux-generic/odp_ipsec_sad.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index 162626de0..ad229e754 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -575,9 +575,10 @@  ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup)
 			if (NULL != best)
 				_odp_ipsec_sa_unuse(best);
 			return ipsec_sa;
-		} else if (ODP_IPSEC_LOOKUP_SPI == ipsec_sa->in.lookup_mode &&
-				lookup->proto == ipsec_sa->proto &&
-				lookup->spi == ipsec_sa->spi) {
+		} else if (NULL == best &&
+			   ODP_IPSEC_LOOKUP_SPI == ipsec_sa->in.lookup_mode &&
+			   lookup->proto == ipsec_sa->proto &&
+			   lookup->spi == ipsec_sa->spi) {
 			best = ipsec_sa;
 		} else {
 			_odp_ipsec_sa_unuse(ipsec_sa);