ipsec: drop outbound ESP when no crypto alg set

Type: fix

If a tunnel interface has the crypto alg set on the outbound SA to
IPSEC_CRYPTO_ALG_NONE and packets are sent out that interface,
the attempt to write an ESP trailer on the packet occurs at the
wrong offset and the vnet buffer opaque data is corrupted, which
can result in a SEGV when a subsequent node attempts to use that
data.

When an outbound SA is set on a tunnel interface which has no crypto
alg set, add a node to the ip{4,6}-output feature arcs which drops all
packets leaving that interface instead of adding the node which would
try to encrypt the packets.

Change-Id: Ie0ac8d8fdc8a035ab8bb83b72b6a94161bebaa48
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c
index 5fc49e1..562f40e 100644
--- a/src/vnet/ipsec/ipsec_if.c
+++ b/src/vnet/ipsec/ipsec_if.c
@@ -234,19 +234,31 @@
 ipsec_tunnel_feature_set (ipsec_main_t * im, ipsec_tunnel_if_t * t, u8 enable)
 {
   u8 arc;
+  u32 esp4_feature_index, esp6_feature_index;
+  ipsec_sa_t *sa;
+
+  sa = ipsec_sa_get (t->output_sa_index);
+  if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE)
+    {
+      esp4_feature_index = im->esp4_no_crypto_tun_feature_index;
+      esp6_feature_index = im->esp6_no_crypto_tun_feature_index;
+    }
+  else
+    {
+      esp4_feature_index = im->esp4_encrypt_tun_feature_index;
+      esp6_feature_index = im->esp6_encrypt_tun_feature_index;
+    }
 
   arc = vnet_get_feature_arc_index ("ip4-output");
 
-  vnet_feature_enable_disable_with_index (arc,
-					  im->esp4_encrypt_tun_feature_index,
+  vnet_feature_enable_disable_with_index (arc, esp4_feature_index,
 					  t->sw_if_index, enable,
 					  &t->output_sa_index,
 					  sizeof (t->output_sa_index));
 
   arc = vnet_get_feature_arc_index ("ip6-output");
 
-  vnet_feature_enable_disable_with_index (arc,
-					  im->esp6_encrypt_tun_feature_index,
+  vnet_feature_enable_disable_with_index (arc, esp6_feature_index,
 					  t->sw_if_index, enable,
 					  &t->output_sa_index,
 					  sizeof (t->output_sa_index));
@@ -562,6 +574,13 @@
 
   udp_register_dst_port (vm, UDP_DST_PORT_ipsec, ipsec4_if_input_node.index,
 			 1);
+
+  /* set up feature nodes to drop outbound packets with no crypto alg set */
+  ipsec_add_feature ("ip4-output", "esp4-no-crypto",
+		     &im->esp4_no_crypto_tun_feature_index);
+  ipsec_add_feature ("ip6-output", "esp6-no-crypto",
+		     &im->esp6_no_crypto_tun_feature_index);
+
   return 0;
 }