From f589486960ced8866e261dd2b84ba1820c43022b Mon Sep 17 00:00:00 2001 From: "Anand H. Krishnan" Date: Sat, 12 Mar 2016 09:53:33 +0530 Subject: [PATCH] Drop ICMP error packets for ICMP errors In case of ICMP error packets for ICMP errors, we were not initializing flow key and trying to form a flow out of that key, resulting in wrong key length and corrupted flow entry(s). We will drop such packets. Change-Id: Idae46a7e128482ad89da8b5bd1bd0ef6b17ef28e Closes-BUG: #1556363 --- dp-core/vr_proto_ip.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/dp-core/vr_proto_ip.c b/dp-core/vr_proto_ip.c index 82e669fb7..95d379334 100644 --- a/dp-core/vr_proto_ip.c +++ b/dp-core/vr_proto_ip.c @@ -841,6 +841,8 @@ vr_inet_proto_flow(struct vrouter *router, unsigned short vrf, struct vr_packet *pkt, uint16_t vlan, struct vr_ip *ip, struct vr_flow *flow_p) { + int ret = 0; + unsigned short *t_hdr, sport, dport; unsigned short nh_id; @@ -851,10 +853,17 @@ vr_inet_proto_flow(struct vrouter *router, unsigned short vrf, if (ip->ip_proto == VR_IP_PROTO_ICMP) { icmph = (struct vr_icmp *)t_hdr; if (vr_icmp_error(icmph)) { + /* we will generate a flow only for the first icmp error */ if ((unsigned char *)ip == pkt_network_header(pkt)) { - vr_inet_proto_flow(router, vrf, pkt, vlan, + ret = vr_inet_proto_flow(router, vrf, pkt, vlan, (struct vr_ip *)(icmph + 1), flow_p); + if (ret) + return ret; + vr_inet_flow_swap(flow_p); + } else { + /* for icmp error for icmp error, we will drop the packet */ + return -1; } return 0; @@ -964,7 +973,7 @@ vr_inet_flow_lookup(struct vrouter *router, struct vr_packet *pkt, vr_enqueue_to_assembler(router, pkt, fmd); } else { /* unlikely to be hit. you can safely discount misc drops here */ - vr_pfree(pkt, VP_DROP_FRAGMENTS); + vr_pfree(pkt, VP_DROP_MISC); } return FLOW_CONSUMED; }