[v1,1/1] linux-gen: ipsec: fix sliding window shifts

Message ID 1536663606-8007-2-git-send-email-odpbot@yandex.ru
State New
Headers show
Series
  • linux-gen: ipsec: fix sliding window shifts
Related show

Commit Message

Github ODP bot Sept. 11, 2018, 11 a.m.
From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>


If shift is greater than window bit-width, bit shift results in
undefined behaviour. Rewrite code to excplicitly set the mask in such
cases.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

Fixes: https://bugs.linaro.org/show_bug.cgi?id=3999
---
/** Email created from pull request 697 (lumag:ipsec-seq)
 ** https://github.com/Linaro/odp/pull/697
 ** Patch: https://github.com/Linaro/odp/pull/697.patch
 ** Base sha: 33fbc04b6373960ec3f84de4e7e7b34c49d71508
 ** Merge commit sha: ec1eaa3b88c25979551791e3eb7f43ee6b10deed
 **/
 platform/linux-generic/odp_ipsec_sad.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

Patch

diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index 11f37fd8f..3c19939e4 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -701,18 +701,17 @@  int _odp_ipsec_sa_replay_update(ipsec_sa_t *ipsec_sa, uint32_t seq,
 		if (seq + IPSEC_ANTIREPLAY_WS <= max_seq) {
 			status->error.antireplay = 1;
 			return -1;
-		}
-
-		if (seq > max_seq) {
+		} else if (seq >= max_seq + IPSEC_ANTIREPLAY_WS) {
+			mask = 1;
+			max_seq = seq;
+		} else if (seq > max_seq) {
 			mask <<= seq - max_seq;
 			mask |= 1;
 			max_seq = seq;
+		} else if (mask & (1U << (max_seq - seq))) {
+			status->error.antireplay = 1;
+			return -1;
 		} else {
-			if (mask & (1U << (max_seq - seq))) {
-				status->error.antireplay = 1;
-				return -1;
-			}
-
 			mask |= (1U << (max_seq - seq));
 		}