diff mbox series

[v1,3/4] linux-gen: ipsec: fix SA leak in lookup case

Message ID 1516809608-18061-4-git-send-email-odpbot@yandex.ru
State Superseded
Headers show
Series [v1,1/4] linux-gen: ipsec: disallow using SAs while they are being created | expand

Commit Message

Github ODP bot Jan. 24, 2018, 4 p.m. UTC
From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>


SA lookup can leave SAs locked if multiple SAs matched the LOOKUP_SPI
case. Follow that case if we have no 'best' option.

Fixes: https://bugs.linaro.org/show_bug.cgi?id=3595
Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

---
/** Email created from pull request 427 (lumag:ipsec-fix-sad)
 ** https://github.com/Linaro/odp/pull/427
 ** Patch: https://github.com/Linaro/odp/pull/427.patch
 ** Base sha: 27480d82bd93a881ae683a3c314c11042a68ce29
 ** Merge commit sha: 83482dc460d8a076de317029373e2c8bf3178974
 **/
 platform/linux-generic/odp_ipsec_sad.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
diff mbox series

Patch

diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index 162626de0..ad229e754 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -575,9 +575,10 @@  ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup)
 			if (NULL != best)
 				_odp_ipsec_sa_unuse(best);
 			return ipsec_sa;
-		} else if (ODP_IPSEC_LOOKUP_SPI == ipsec_sa->in.lookup_mode &&
-				lookup->proto == ipsec_sa->proto &&
-				lookup->spi == ipsec_sa->spi) {
+		} else if (NULL == best &&
+			   ODP_IPSEC_LOOKUP_SPI == ipsec_sa->in.lookup_mode &&
+			   lookup->proto == ipsec_sa->proto &&
+			   lookup->spi == ipsec_sa->spi) {
 			best = ipsec_sa;
 		} else {
 			_odp_ipsec_sa_unuse(ipsec_sa);