ikev2: fix memleak when tunnel protect fails

Type: fix

Change-Id: I1d278fc2b03b948c054ff1686315635ac0278ae8
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 727082016f8822edcf40662d0059d3e8fab5e2ef)
This commit is contained in:
Filip Tehlar
2020-11-10 09:32:13 +00:00
committed by Andrew Yourtchenko
parent 29ad98844b
commit 49de3282a3

View File

@ -1862,21 +1862,37 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
vec_add1 (sas_in, a->old_remote_sa_id); vec_add1 (sas_in, a->old_remote_sa_id);
} }
rv |= ipsec_sa_add_and_lock (a->local_sa_id, rv = ipsec_sa_add_and_lock (a->local_sa_id,
a->local_spi, a->local_spi,
IPSEC_PROTOCOL_ESP, a->encr_type, IPSEC_PROTOCOL_ESP, a->encr_type,
&a->loc_ckey, a->integ_type, &a->loc_ikey, &a->loc_ckey, a->integ_type, &a->loc_ikey,
a->flags, 0, a->salt_local, &a->local_ip, a->flags, 0, a->salt_local, &a->local_ip,
&a->remote_ip, NULL, a->src_port, a->dst_port); &a->remote_ip, NULL, a->src_port, a->dst_port);
rv |= ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi, if (rv)
goto err0;
rv = ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi,
IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey, IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey,
a->integ_type, &a->rem_ikey, a->integ_type, &a->rem_ikey,
(a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0, (a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0,
a->salt_remote, &a->remote_ip, a->salt_remote, &a->remote_ip,
&a->local_ip, NULL, a->ipsec_over_udp_port, &a->local_ip, NULL, a->ipsec_over_udp_port,
a->ipsec_over_udp_port); a->ipsec_over_udp_port);
if (rv)
goto err1;
rv |= ipsec_tun_protect_update (sw_if_index, NULL, a->local_sa_id, sas_in); rv = ipsec_tun_protect_update (sw_if_index, NULL, a->local_sa_id, sas_in);
if (rv)
goto err2;
return;
err2:
ipsec_sa_unlock_id (a->remote_sa_id);
err1:
ipsec_sa_unlock_id (a->local_sa_id);
err0:
vec_free (sas_in);
} }
static int static int
@ -4689,7 +4705,10 @@ ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa,
u32 *sas_in = NULL; u32 *sas_in = NULL;
vec_add1 (sas_in, csa->remote_sa_id); vec_add1 (sas_in, csa->remote_sa_id);
vlib_worker_thread_barrier_sync (vm); vlib_worker_thread_barrier_sync (vm);
ipsec_tun_protect_update (sw_if_index, NULL, csa->local_sa_id, sas_in); int rv = ipsec_tun_protect_update (sw_if_index, NULL,
csa->local_sa_id, sas_in);
if (rv)
vec_free (sas_in);
ipsec_sa_unlock_id (ikev2_flip_alternate_sa_bit (csa->remote_sa_id)); ipsec_sa_unlock_id (ikev2_flip_alternate_sa_bit (csa->remote_sa_id));
vlib_worker_thread_barrier_release (vm); vlib_worker_thread_barrier_release (vm);
} }