ikev2: better packet parsing functions

Ticket: VPP-1918
Type: improvement

Change-Id: I2bc3e30121697404dcd54f1c2127bd85ccc1029e
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index 96b8e7d..5103d98 100644
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -71,7 +71,9 @@
 _(IKE_REQ_RETRANSMIT, "IKE request retransmit") \
 _(IKE_REQ_IGNORE, "IKE request ignore (old msgid)") \
 _(NOT_IKEV2, "Non IKEv2 packets received") \
-_(BAD_LENGTH, "Bad packet length")
+_(BAD_LENGTH, "Bad packet length") \
+_(MALFORMED_PACKET, "Malformed packet") \
+_(NO_BUFF_SPACE, "No buffer space")
 
 typedef enum
 {
@@ -639,12 +641,54 @@
   return res;
 }
 
-static void
-ikev2_process_sa_init_req (vlib_main_t * vm, ikev2_sa_t * sa,
-			   ike_header_t * ike, udp_header_t * udp, u32 len)
+static int
+ikev2_parse_ke_payload (const void *p, u32 rlen, ikev2_sa_t * sa,
+			u8 ** ke_data)
 {
+  const ike_ke_payload_header_t *ke = p;
+  u16 plen = clib_net_to_host_u16 (ke->length);
+  ASSERT (plen >= sizeof (*ke) && plen <= rlen);
+  if (sizeof (*ke) > rlen)
+    return 0;
+
+  sa->dh_group = clib_net_to_host_u16 (ke->dh_group);
+  vec_reset_length (ke_data[0]);
+  vec_add (ke_data[0], ke->payload, plen - sizeof (*ke));
+  return 1;
+}
+
+static int
+ikev2_parse_nonce_payload (const void *p, u32 rlen, u8 * nonce)
+{
+  const ike_payload_header_t *ikep = p;
+  u16 plen = clib_net_to_host_u16 (ikep->length);
+  ASSERT (plen >= sizeof (*ikep) && plen <= rlen);
+  clib_memcpy_fast (nonce, ikep->payload, plen - sizeof (*ikep));
+  return 1;
+}
+
+static int
+ikev2_check_payload_length (const ike_payload_header_t * ikep, int rlen,
+			    u16 * plen)
+{
+  if (sizeof (*ikep) > rlen)
+    return 0;
+  *plen = clib_net_to_host_u16 (ikep->length);
+  if (*plen < sizeof (*ikep) || *plen > rlen)
+    return 0;
+  return 1;
+}
+
+static int
+ikev2_process_sa_init_req (vlib_main_t * vm,
+			   ikev2_sa_t * sa, ike_header_t * ike,
+			   udp_header_t * udp, u32 len)
+{
+  u8 nonce[IKEV2_NONCE_SIZE];
   int p = 0;
   u8 payload = ike->nextpayload;
+  ike_payload_header_t *ikep;
+  u16 plen;
 
   ikev2_elog_exchange ("ispi %lx rspi %lx IKE_INIT request received "
 		       "from %d.%d.%d.%d",
@@ -657,34 +701,38 @@
   vec_reset_length (sa->last_sa_init_req_packet_data);
   vec_add (sa->last_sa_init_req_packet_data, ike, len);
 
+  if (len < sizeof (*ike))
+    return 0;
+
+  len -= sizeof (*ike);
   while (p < len && payload != IKEV2_PAYLOAD_NONE)
     {
-      ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p];
-      u32 plen = clib_net_to_host_u16 (ikep->length);
-
-      if (plen < sizeof (ike_payload_header_t))
-	return;
+      ikep = (ike_payload_header_t *) & ike->payload[p];
+      int current_length = len - p;
+      if (!ikev2_check_payload_length (ikep, current_length, &plen))
+	return 0;
 
       if (payload == IKEV2_PAYLOAD_SA)
 	{
 	  ikev2_sa_free_proposal_vector (&sa->i_proposals);
-	  sa->i_proposals = ikev2_parse_sa_payload (ikep);
+	  sa->i_proposals = ikev2_parse_sa_payload (ikep, current_length);
 	}
       else if (payload == IKEV2_PAYLOAD_KE)
 	{
-	  ike_ke_payload_header_t *ke = (ike_ke_payload_header_t *) ikep;
-	  sa->dh_group = clib_net_to_host_u16 (ke->dh_group);
-	  vec_free (sa->i_dh_data);
-	  vec_add (sa->i_dh_data, ke->payload, plen - sizeof (*ke));
+	  if (!ikev2_parse_ke_payload (ikep, current_length, sa,
+				       &sa->i_dh_data))
+	    return 0;
 	}
       else if (payload == IKEV2_PAYLOAD_NONCE)
 	{
-	  vec_free (sa->i_nonce);
-	  vec_add (sa->i_nonce, ikep->payload, plen - sizeof (*ikep));
+	  vec_reset_length (sa->i_nonce);
+	  if (ikev2_parse_nonce_payload (ikep, current_length, nonce))
+	    vec_add (sa->i_nonce, nonce, plen - sizeof (*ikep));
 	}
       else if (payload == IKEV2_PAYLOAD_NOTIFY)
 	{
-	  ikev2_notify_t *n = ikev2_parse_notify_payload (ikep);
+	  ikev2_notify_t *n =
+	    ikev2_parse_notify_payload (ikep, current_length);
 	  if (n->msg_type == IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP)
 	    {
 	      u8 *src_sha = ikev2_compute_nat_sha1 (ike->ispi, 0,
@@ -726,7 +774,7 @@
 	    {
 	      ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
 	      sa->unsupported_cp = payload;
-	      return;
+	      return 0;
 	    }
 	}
 
@@ -735,14 +783,19 @@
     }
 
   ikev2_set_state (sa, IKEV2_STATE_SA_INIT);
+  return 1;
 }
 
 static void
-ikev2_process_sa_init_resp (vlib_main_t * vm, ikev2_sa_t * sa,
-			    ike_header_t * ike, udp_header_t * udp, u32 len)
+ikev2_process_sa_init_resp (vlib_main_t * vm,
+			    ikev2_sa_t * sa, ike_header_t * ike,
+			    udp_header_t * udp, u32 len)
 {
+  u8 nonce[IKEV2_NONCE_SIZE];
   int p = 0;
   u8 payload = ike->nextpayload;
+  ike_payload_header_t *ikep;
+  u16 plen;
 
   sa->ispi = clib_net_to_host_u64 (ike->ispi);
   sa->rspi = clib_net_to_host_u64 (ike->rspi);
@@ -755,18 +808,21 @@
   vec_reset_length (sa->last_sa_init_res_packet_data);
   vec_add (sa->last_sa_init_res_packet_data, ike, len);
 
+  if (sizeof (*ike) > len)
+    return;
+
+  len -= sizeof (*ike);
   while (p < len && payload != IKEV2_PAYLOAD_NONE)
     {
-      ike_payload_header_t *ikep = (ike_payload_header_t *) & ike->payload[p];
-      u32 plen = clib_net_to_host_u16 (ikep->length);
-
-      if (plen < sizeof (ike_payload_header_t))
+      int current_length = len - p;
+      ikep = (ike_payload_header_t *) & ike->payload[p];
+      if (!ikev2_check_payload_length (ikep, current_length, &plen))
 	return;
 
       if (payload == IKEV2_PAYLOAD_SA)
 	{
 	  ikev2_sa_free_proposal_vector (&sa->r_proposals);
-	  sa->r_proposals = ikev2_parse_sa_payload (ikep);
+	  sa->r_proposals = ikev2_parse_sa_payload (ikep, current_length);
 	  if (sa->r_proposals)
 	    {
 	      ikev2_set_state (sa, IKEV2_STATE_SA_INIT);
@@ -776,19 +832,20 @@
 	}
       else if (payload == IKEV2_PAYLOAD_KE)
 	{
-	  ike_ke_payload_header_t *ke = (ike_ke_payload_header_t *) ikep;
-	  sa->dh_group = clib_net_to_host_u16 (ke->dh_group);
-	  vec_free (sa->r_dh_data);
-	  vec_add (sa->r_dh_data, ke->payload, plen - sizeof (*ke));
+	  if (!ikev2_parse_ke_payload (ikep, current_length, sa,
+				       &sa->r_dh_data))
+	    return;
 	}
       else if (payload == IKEV2_PAYLOAD_NONCE)
 	{
-	  vec_free (sa->r_nonce);
-	  vec_add (sa->r_nonce, ikep->payload, plen - sizeof (*ikep));
+	  vec_reset_length (sa->r_nonce);
+	  if (ikev2_parse_nonce_payload (ikep, current_length, nonce))
+	    vec_add (sa->r_nonce, nonce, plen - sizeof (*ikep));
 	}
       else if (payload == IKEV2_PAYLOAD_NOTIFY)
 	{
-	  ikev2_notify_t *n = ikev2_parse_notify_payload (ikep);
+	  ikev2_notify_t *n =
+	    ikev2_parse_notify_payload (ikep, current_length);
 	  if (n->msg_type == IKEV2_NOTIFY_MSG_NAT_DETECTION_SOURCE_IP)
 	    {
 	      u8 *src_sha = ikev2_compute_nat_sha1 (ike->ispi,
@@ -841,15 +898,15 @@
 }
 
 static u8 *
-ikev2_decrypt_sk_payload (ikev2_sa_t * sa, ike_header_t * ike, u8 * payload,
-			  u32 len)
+ikev2_decrypt_sk_payload (ikev2_sa_t * sa, ike_header_t * ike,
+			  u8 * payload, u32 rlen, u32 * out_len)
 {
   ikev2_main_per_thread_data_t *ptd = ikev2_get_per_thread_data ();
   int p = 0;
-  u8 last_payload = 0, *plaintext = 0;
-  u8 *hmac = 0;
+  u8 last_payload = 0, *hmac = 0, *plaintext = 0;
   ike_payload_header_t *ikep = 0;
-  u32 plen = 0;
+  u16 plen = 0;
+  u32 dlen = 0;
   ikev2_sa_transform_t *tr_integ;
   ikev2_sa_transform_t *tr_encr;
   tr_integ =
@@ -861,13 +918,16 @@
   if ((!sa->sk_ar || !sa->sk_ai) && !is_aead)
     return 0;
 
+  if (rlen <= sizeof (*ike))
+    return 0;
+
+  int len = rlen - sizeof (*ike);
   while (p < len &&
 	 *payload != IKEV2_PAYLOAD_NONE && last_payload != IKEV2_PAYLOAD_SK)
     {
       ikep = (ike_payload_header_t *) & ike->payload[p];
-      plen = clib_net_to_host_u16 (ikep->length);
-
-      if (plen < sizeof (*ikep))
+      int current_length = len - p;
+      if (!ikev2_check_payload_length (ikep, current_length, &plen))
 	return 0;
 
       if (*payload == IKEV2_PAYLOAD_SK)
@@ -905,24 +965,29 @@
       u32 aad_len = ikep->payload - aad;
       u8 *tag = ikep->payload + plen;
 
-      plaintext = ikev2_decrypt_aead_data (ptd, sa, tr_encr, ikep->payload,
-					   plen, aad, aad_len, tag);
+      int rc = ikev2_decrypt_aead_data (ptd, sa, tr_encr, ikep->payload,
+					plen, aad, aad_len, tag, &dlen);
+      if (rc)
+	{
+	  *out_len = dlen;
+	  plaintext = ikep->payload + IKEV2_GCM_IV_SIZE;
+	}
     }
   else
     {
-      if (len < tr_integ->key_trunc)
+      if (rlen < tr_integ->key_trunc)
 	return 0;
 
       hmac =
 	ikev2_calc_integr (tr_integ, sa->is_initiator ? sa->sk_ar : sa->sk_ai,
-			   (u8 *) ike, len - tr_integ->key_trunc);
+			   (u8 *) ike, rlen - tr_integ->key_trunc);
 
       if (plen < sizeof (*ikep) + tr_integ->key_trunc)
 	return 0;
 
       plen = plen - sizeof (*ikep) - tr_integ->key_trunc;
 
-      if (memcmp (hmac, &ikep->payload[plen], tr_integ->key_trunc))
+      if (clib_memcmp (hmac, &ikep->payload[plen], tr_integ->key_trunc))
 	{
 	  ikev2_elog_error ("message integrity check failed");
 	  vec_free (hmac);
@@ -930,7 +995,13 @@
 	}
       vec_free (hmac);
 
-      plaintext = ikev2_decrypt_data (ptd, sa, tr_encr, ikep->payload, plen);
+      int rc = ikev2_decrypt_data (ptd, sa, tr_encr, ikep->payload, plen,
+				   &dlen);
+      if (rc)
+	{
+	  *out_len = dlen;
+	  plaintext = ikep->payload + tr_encr->block_size;
+	}
     }
 
   return plaintext;
@@ -945,7 +1016,7 @@
   if (vec_len (i1->data) != vec_len (i2->data))
     return 0;
 
-  if (memcmp (i1->data, i2->data, vec_len (i1->data)))
+  if (clib_memcmp (i1->data, i2->data, vec_len (i1->data)))
     return 0;
 
   return 1;
@@ -989,16 +1060,44 @@
   sa->initial_contact = 0;
 }
 
-static void
-ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa, ike_header_t * ike,
-			u32 len)
+static int
+ikev2_parse_id_payload (const void *p, u16 rlen, ikev2_id_t * sa_id)
 {
-  ikev2_child_sa_t *first_child_sa;
+  const ike_id_payload_header_t *id = p;
+  u16 plen = clib_net_to_host_u16 (id->length);
+  if (plen < sizeof (*id) || plen > rlen)
+    return 0;
+
+  sa_id->type = id->id_type;
+  vec_reset_length (sa_id->data);
+  vec_add (sa_id->data, id->payload, plen - sizeof (*id));
+
+  return 1;
+}
+
+static int
+ikev2_parse_auth_payload (const void *p, u32 rlen, ikev2_auth_t * a)
+{
+  const ike_auth_payload_header_t *ah = p;
+  u16 plen = clib_net_to_host_u16 (ah->length);
+
+  a->method = ah->auth_method;
+  vec_reset_length (a->data);
+  vec_add (a->data, ah->payload, plen - sizeof (*ah));
+  return 1;
+}
+
+static int
+ikev2_process_auth_req (vlib_main_t * vm, ikev2_sa_t * sa,
+			ike_header_t * ike, u32 len)
+{
   int p = 0;
+  ikev2_child_sa_t *first_child_sa;
   u8 payload = ike->nextpayload;
   u8 *plaintext = 0;
   ike_payload_header_t *ikep;
-  u32 plen;
+  u16 plen;
+  u32 dlen = 0;
 
   ikev2_elog_exchange ("ispi %lx rspi %lx EXCHANGE_IKE_AUTH received "
 		       "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi),
@@ -1008,13 +1107,16 @@
 
   ikev2_calc_keys (sa);
 
-  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload, len);
+  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload, len, &dlen);
 
   if (!plaintext)
     {
       if (sa->unsupported_cp)
-	ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
-      goto cleanup_and_exit;
+	{
+	  ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
+	  return 0;
+	}
+      goto malformed;
     }
 
   /* select or create 1st child SA */
@@ -1030,64 +1132,57 @@
 
 
   /* process encrypted payload */
-  p = 0;
-  while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE)
+  while (p < dlen && payload != IKEV2_PAYLOAD_NONE)
     {
       ikep = (ike_payload_header_t *) & plaintext[p];
-      plen = clib_net_to_host_u16 (ikep->length);
-
-      if (plen < sizeof (ike_payload_header_t))
-	goto cleanup_and_exit;
+      int current_length = dlen - p;
+      if (!ikev2_check_payload_length (ikep, current_length, &plen))
+	goto malformed;
 
       if (payload == IKEV2_PAYLOAD_SA)	/* 33 */
 	{
 	  if (sa->is_initiator)
 	    {
 	      ikev2_sa_free_proposal_vector (&first_child_sa->r_proposals);
-	      first_child_sa->r_proposals = ikev2_parse_sa_payload (ikep);
+	      first_child_sa->r_proposals = ikev2_parse_sa_payload (ikep,
+								    current_length);
 	    }
 	  else
 	    {
 	      ikev2_sa_free_proposal_vector (&first_child_sa->i_proposals);
-	      first_child_sa->i_proposals = ikev2_parse_sa_payload (ikep);
+	      first_child_sa->i_proposals = ikev2_parse_sa_payload (ikep,
+								    current_length);
 	    }
 	}
       else if (payload == IKEV2_PAYLOAD_IDI)	/* 35 */
 	{
-	  ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep;
-
-	  sa->i_id.type = id->id_type;
-	  vec_free (sa->i_id.data);
-	  vec_add (sa->i_id.data, id->payload, plen - sizeof (*id));
+	  if (!ikev2_parse_id_payload (ikep, current_length, &sa->i_id))
+	    goto malformed;
 	}
       else if (payload == IKEV2_PAYLOAD_IDR)	/* 36 */
 	{
-	  ike_id_payload_header_t *id = (ike_id_payload_header_t *) ikep;
-
-	  sa->r_id.type = id->id_type;
-	  vec_free (sa->r_id.data);
-	  vec_add (sa->r_id.data, id->payload, plen - sizeof (*id));
+	  if (!ikev2_parse_id_payload (ikep, current_length, &sa->r_id))
+	    goto malformed;
 	}
       else if (payload == IKEV2_PAYLOAD_AUTH)	/* 39 */
 	{
-	  ike_auth_payload_header_t *a = (ike_auth_payload_header_t *) ikep;
-
 	  if (sa->is_initiator)
 	    {
-	      sa->r_auth.method = a->auth_method;
-	      vec_free (sa->r_auth.data);
-	      vec_add (sa->r_auth.data, a->payload, plen - sizeof (*a));
+	      if (!ikev2_parse_auth_payload (ikep, current_length,
+					     &sa->r_auth))
+		goto malformed;
 	    }
 	  else
 	    {
-	      sa->i_auth.method = a->auth_method;
-	      vec_free (sa->i_auth.data);
-	      vec_add (sa->i_auth.data, a->payload, plen - sizeof (*a));
+	      if (!ikev2_parse_auth_payload (ikep, current_length,
+					     &sa->i_auth))
+		goto malformed;
 	    }
 	}
       else if (payload == IKEV2_PAYLOAD_NOTIFY)	/* 41 */
 	{
-	  ikev2_notify_t *n = ikev2_parse_notify_payload (ikep);
+	  ikev2_notify_t *n =
+	    ikev2_parse_notify_payload (ikep, current_length);
 	  if (n->msg_type == IKEV2_NOTIFY_MSG_INITIAL_CONTACT)
 	    {
 	      sa->initial_contact = 1;
@@ -1101,12 +1196,12 @@
       else if (payload == IKEV2_PAYLOAD_TSI)	/* 44 */
 	{
 	  vec_free (first_child_sa->tsi);
-	  first_child_sa->tsi = ikev2_parse_ts_payload (ikep);
+	  first_child_sa->tsi = ikev2_parse_ts_payload (ikep, current_length);
 	}
       else if (payload == IKEV2_PAYLOAD_TSR)	/* 45 */
 	{
 	  vec_free (first_child_sa->tsr);
-	  first_child_sa->tsr = ikev2_parse_ts_payload (ikep);
+	  first_child_sa->tsr = ikev2_parse_ts_payload (ikep, current_length);
 	}
       else
 	{
@@ -1117,7 +1212,7 @@
 	    {
 	      ikev2_set_state (sa, IKEV2_STATE_NOTIFY_AND_DELETE);
 	      sa->unsupported_cp = payload;
-	      return;
+	      return 0;
 	    }
 	}
 
@@ -1125,50 +1220,60 @@
       p += plen;
     }
 
-cleanup_and_exit:
-  vec_free (plaintext);
+  return 1;
+
+malformed:
+  ikev2_set_state (sa, IKEV2_STATE_DELETED);
+  return 0;
 }
 
-static void
-ikev2_process_informational_req (vlib_main_t * vm, ikev2_sa_t * sa,
-				 ike_header_t * ike, u32 len)
+static int
+ikev2_process_informational_req (vlib_main_t * vm,
+				 ikev2_sa_t * sa, ike_header_t * ike, u32 len)
 {
   int p = 0;
   u8 payload = ike->nextpayload;
   u8 *plaintext = 0;
   ike_payload_header_t *ikep;
-  u32 plen;
+  u32 dlen = 0;
+  ikev2_notify_t *n = 0;
 
   sa->liveness_retries = 0;
   ikev2_elog_exchange ("ispi %lx rspi %lx INFORMATIONAL received "
 		       "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi),
 		       clib_host_to_net_u64 (ike->rspi), sa->iaddr.as_u32);
 
-  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload, len);
+  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload, len, &dlen);
 
   if (!plaintext)
-    goto cleanup_and_exit;
+    return 0;
 
   /* process encrypted payload */
   p = 0;
-  while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE)
+  while (p < dlen && payload != IKEV2_PAYLOAD_NONE)
     {
-      ikep = (ike_payload_header_t *) & plaintext[p];
-      plen = clib_net_to_host_u16 (ikep->length);
+      u32 current_length = dlen - p;
+      if (p + sizeof (*ikep) > dlen)
+	return 0;
 
-      if (plen < sizeof (ike_payload_header_t))
-	goto cleanup_and_exit;
+      ikep = (ike_payload_header_t *) & plaintext[p];
+      u16 plen = clib_net_to_host_u16 (ikep->length);
+
+      if (plen < sizeof (*ikep) || plen > current_length)
+	return 0;
 
       if (payload == IKEV2_PAYLOAD_NOTIFY)	/* 41 */
 	{
-	  ikev2_notify_t *n = ikev2_parse_notify_payload (ikep);
+	  n = ikev2_parse_notify_payload (ikep, current_length);
+	  if (!n)
+	    return 0;
 	  if (n->msg_type == IKEV2_NOTIFY_MSG_AUTHENTICATION_FAILED)
 	    ikev2_set_state (sa, IKEV2_STATE_AUTH_FAILED);
 	  vec_free (n);
 	}
       else if (payload == IKEV2_PAYLOAD_DELETE)	/* 42 */
 	{
-	  sa->del = ikev2_parse_delete_payload (ikep);
+	  sa->del = ikev2_parse_delete_payload (ikep, current_length);
 	}
       else if (payload == IKEV2_PAYLOAD_VENDOR)	/* 43 */
 	{
@@ -1181,21 +1286,19 @@
 	  if (ikep->flags & IKEV2_PAYLOAD_FLAG_CRITICAL)
 	    {
 	      sa->unsupported_cp = payload;
-	      return;
+	      return 0;
 	    }
 	}
-
       payload = ikep->nextpayload;
       p += plen;
     }
-
-cleanup_and_exit:
-  vec_free (plaintext);
+  return 1;
 }
 
-static void
-ikev2_process_create_child_sa_req (vlib_main_t * vm, ikev2_sa_t * sa,
-				   ike_header_t * ike, u32 len)
+static int
+ikev2_process_create_child_sa_req (vlib_main_t * vm,
+				   ikev2_sa_t * sa, ike_header_t * ike,
+				   u32 len)
 {
   int p = 0;
   u8 payload = ike->nextpayload;
@@ -1204,39 +1307,39 @@
   u8 nonce[IKEV2_NONCE_SIZE];
 
   ike_payload_header_t *ikep;
-  u32 plen;
   ikev2_notify_t *n = 0;
   ikev2_ts_t *tsi = 0;
   ikev2_ts_t *tsr = 0;
   ikev2_sa_proposal_t *proposal = 0;
   ikev2_child_sa_t *child_sa;
+  u32 dlen = 0;
+  u16 plen;
 
   ikev2_elog_exchange ("ispi %lx rspi %lx CREATE_CHILD_SA received "
 		       "from %d.%d.%d.%d", clib_host_to_net_u64 (ike->ispi),
 		       clib_host_to_net_u64 (ike->rspi), sa->raddr.as_u32);
 
-  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload, len);
+  plaintext = ikev2_decrypt_sk_payload (sa, ike, &payload, len, &dlen);
 
   if (!plaintext)
     goto cleanup_and_exit;
 
   /* process encrypted payload */
   p = 0;
-  while (p < vec_len (plaintext) && payload != IKEV2_PAYLOAD_NONE)
+  while (payload != IKEV2_PAYLOAD_NONE)
     {
       ikep = (ike_payload_header_t *) & plaintext[p];
-      plen = clib_net_to_host_u16 (ikep->length);
-
-      if (plen < sizeof (ike_payload_header_t))
+      int current_length = dlen - p;
+      if (!ikev2_check_payload_length (ikep, current_length, &plen))
 	goto cleanup_and_exit;
 
-      else if (payload == IKEV2_PAYLOAD_SA)
+      if (payload == IKEV2_PAYLOAD_SA)
 	{
-	  proposal = ikev2_parse_sa_payload (ikep);
+	  proposal = ikev2_parse_sa_payload (ikep, current_length);
 	}
       else if (payload == IKEV2_PAYLOAD_NOTIFY)
 	{
-	  n = ikev2_parse_notify_payload (ikep);
+	  n = ikev2_parse_notify_payload (ikep, current_length);
 	  if (n->msg_type == IKEV2_NOTIFY_MSG_REKEY_SA)
 	    {
 	      rekeying = 1;
@@ -1244,7 +1347,7 @@
 	}
       else if (payload == IKEV2_PAYLOAD_DELETE)
 	{
-	  sa->del = ikev2_parse_delete_payload (ikep);
+	  sa->del = ikev2_parse_delete_payload (ikep, current_length);
 	}
       else if (payload == IKEV2_PAYLOAD_VENDOR)
 	{
@@ -1252,15 +1355,15 @@
 	}
       else if (payload == IKEV2_PAYLOAD_NONCE)
 	{
-	  clib_memcpy_fast (nonce, ikep->payload, plen - sizeof (*ikep));
+	  ikev2_parse_nonce_payload (ikep, current_length, nonce);
 	}
       else if (payload == IKEV2_PAYLOAD_TSI)
 	{
-	  tsi = ikev2_parse_ts_payload (ikep);
+	  tsi = ikev2_parse_ts_payload (ikep, current_length);
 	}
       else if (payload == IKEV2_PAYLOAD_TSR)
 	{
-	  tsr = ikev2_parse_ts_payload (ikep);
+	  tsr = ikev2_parse_ts_payload (ikep, current_length);
 	}
       else
 	{
@@ -1272,7 +1375,6 @@
 	      goto cleanup_and_exit;
 	    }
 	}
-
       payload = ikep->nextpayload;
       p += plen;
     }
@@ -1288,7 +1390,7 @@
       rekey->tsi = tsi;
       rekey->tsr = tsr;
       /* update Nr */
-      vec_free (sa->r_nonce);
+      vec_reset_length (sa->r_nonce);
       vec_add (sa->r_nonce, nonce, IKEV2_NONCE_SIZE);
       child_sa = ikev2_sa_get_child (sa, rekey->ispi, IKEV2_PROTOCOL_ESP, 1);
       if (child_sa)
@@ -1318,14 +1420,15 @@
       vec_free (sa->i_nonce);
       vec_add (sa->i_nonce, nonce, IKEV2_NONCE_SIZE);
       /* generate new Nr */
-      vec_free (sa->r_nonce);
-      sa->r_nonce = vec_new (u8, IKEV2_NONCE_SIZE);
+      vec_validate (sa->r_nonce, IKEV2_NONCE_SIZE - 1);
       RAND_bytes ((u8 *) sa->r_nonce, IKEV2_NONCE_SIZE);
+      vec_free (n);
     }
+  return 1;
 
 cleanup_and_exit:
-  vec_free (plaintext);
   vec_free (n);
+  return 0;
 }
 
 static u8 *
@@ -1511,7 +1614,7 @@
         psk = ikev2_calc_prf(tr_prf, p->auth.data, key_pad);
         auth = ikev2_calc_prf(tr_prf, psk, authmsg);
 
-        if (!memcmp(auth, sa_auth->data, vec_len(sa_auth->data)))
+        if (!clib_memcmp(auth, sa_auth->data, vec_len(sa_auth->data)))
           {
             ikev2_set_state(sa, IKEV2_STATE_AUTHENTICATED);
             vec_free(auth);
@@ -2069,9 +2172,11 @@
 }
 
 static u32
-ikev2_generate_message (ikev2_sa_t * sa, ike_header_t * ike, void *user,
-			udp_header_t * udp)
+ikev2_generate_message (vlib_buffer_t * b, ikev2_sa_t * sa,
+			ike_header_t * ike, void *user, udp_header_t * udp)
 {
+  ikev2_main_t *km = &ikev2_main;
+  u16 buffer_data_size = vlib_buffer_get_default_data_size (km->vlib_main);
   v8 *integ = 0;
   ike_payload_header_t *ph;
   u16 plen;
@@ -2328,6 +2433,13 @@
       tlen += vec_len (chain->data);
       ike->nextpayload = chain->first_payload_type;
       ike->length = clib_host_to_net_u32 (tlen);
+
+      if (tlen + b->current_length + b->current_data > buffer_data_size)
+	{
+	  tlen = ~0;
+	  goto done;
+	}
+
       clib_memcpy_fast (ike->payload, chain->data, vec_len (chain->data));
 
       /* store whole IKE payload - needed for PSK auth */
@@ -2356,21 +2468,36 @@
 	plen += IKEV2_GCM_ICV_SIZE;
       tlen += plen;
 
+      if (tlen + b->current_length + b->current_data > buffer_data_size)
+	{
+	  tlen = ~0;
+	  goto done;
+	}
+
       /* payload and total length */
       ph->length = clib_host_to_net_u16 (plen);
       ike->length = clib_host_to_net_u32 (tlen);
 
       if (is_aead)
 	{
-	  ikev2_encrypt_aead_data (ptd, sa, tr_encr, chain->data,
-				   ph->payload, (u8 *) ike,
-				   sizeof (*ike) + sizeof (*ph),
-				   ph->payload + plen - sizeof (*ph) -
-				   IKEV2_GCM_ICV_SIZE);
+	  if (!ikev2_encrypt_aead_data (ptd, sa, tr_encr, chain->data,
+					ph->payload, (u8 *) ike,
+					sizeof (*ike) + sizeof (*ph),
+					ph->payload + plen - sizeof (*ph) -
+					IKEV2_GCM_ICV_SIZE))
+	    {
+	      tlen = ~0;
+	      goto done;
+	    }
 	}
       else
 	{
-	  ikev2_encrypt_data (ptd, sa, tr_encr, chain->data, ph->payload);
+	  if (!ikev2_encrypt_data
+	      (ptd, sa, tr_encr, chain->data, ph->payload))
+	    {
+	      tlen = ~0;
+	      goto done;
+	    }
 	  integ =
 	    ikev2_calc_integr (tr_integ,
 			       sa->is_initiator ? sa->sk_ai : sa->sk_ar,
@@ -2391,8 +2518,8 @@
 }
 
 static u32
-ikev2_retransmit_sa_init (ike_header_t * ike,
-			  ip4_address_t iaddr, ip4_address_t raddr, u32 rlen)
+ikev2_retransmit_sa_init (ike_header_t * ike, ip4_address_t iaddr,
+			  ip4_address_t raddr, u32 rlen)
 {
   ikev2_main_t *km = &ikev2_main;
   ikev2_sa_t *sa;
@@ -2409,14 +2536,17 @@
 
         while (p < rlen && payload!= IKEV2_PAYLOAD_NONE) {
           ike_payload_header_t * ikep = (ike_payload_header_t *) &ike->payload[p];
-          u32 plen = clib_net_to_host_u16(ikep->length);
+          u32 plen = clib_net_to_host_u16 (ikep->length);
+          if (plen > p + sizeof (*ike))
+            return ~0;
 
           if (plen < sizeof(ike_payload_header_t))
-            return -1;
+            return ~0;
 
           if (payload == IKEV2_PAYLOAD_NONCE)
             {
-              if (!memcmp(sa->i_nonce, ikep->payload, plen - sizeof(*ikep)))
+              if (!clib_memcmp(sa->i_nonce, ikep->payload,
+                    plen - sizeof(*ikep)))
                 {
                   /* req is retransmit */
                   if (sa->state == IKEV2_STATE_SA_INIT)
@@ -2463,7 +2593,7 @@
 }
 
 static u32
-ikev2_retransmit_resp (ikev2_sa_t * sa, ike_header_t * ike, u32 rlen)
+ikev2_retransmit_resp (ikev2_sa_t * sa, ike_header_t * ike)
 {
   u32 msg_id = clib_net_to_host_u32 (ike->msgid);
 
@@ -2536,6 +2666,7 @@
   ikev2_next_t next_index;
   ikev2_main_t *km = &ikev2_main;
   u32 thread_index = vlib_get_thread_index ();
+  int res;
 
   from = vlib_frame_vector_args (frame);
   n_left_from = frame->n_vectors;
@@ -2552,7 +2683,6 @@
 	  u32 bi0;
 	  vlib_buffer_t *b0;
 	  u32 next0 = IKEV2_NEXT_ERROR_DROP;
-	  u32 sw_if_index0;
 	  ip4_header_t *ip40;
 	  udp_header_t *udp0;
 	  ike_header_t *ike0;
@@ -2643,7 +2773,12 @@
 			  goto dispatch0;
 			}
 
-		      ikev2_process_sa_init_req (vm, sa0, ike0, udp0, rlen);
+		      res = ikev2_process_sa_init_req (vm, sa0,
+						       ike0, udp0, rlen);
+		      if (!res)
+			vlib_node_increment_counter (vm, ikev2_node.index,
+						     IKEV2_ERROR_MALFORMED_PACKET,
+						     1);
 
 		      if (sa0->state == IKEV2_STATE_SA_INIT)
 			{
@@ -2657,7 +2792,12 @@
 		      if (sa0->state == IKEV2_STATE_SA_INIT
 			  || sa0->state == IKEV2_STATE_NOTIFY_AND_DELETE)
 			{
-			  slen = ikev2_generate_message (sa0, ike0, 0, udp0);
+			  slen =
+			    ikev2_generate_message (b0, sa0, ike0, 0, udp0);
+			  if (~0 == slen)
+			    vlib_node_increment_counter (vm, ikev2_node.index,
+							 IKEV2_ERROR_NO_BUFF_SPACE,
+							 1);
 			}
 
 		      if (sa0->state == IKEV2_STATE_SA_INIT)
@@ -2702,7 +2842,13 @@
 			      ikev2_calc_keys (sa0);
 			      ikev2_sa_auth_init (sa0);
 			      slen =
-				ikev2_generate_message (sa0, ike0, 0, udp0);
+				ikev2_generate_message (b0, sa0, ike0, 0,
+							udp0);
+			      if (~0 == slen)
+				vlib_node_increment_counter (vm,
+							     ikev2_node.index,
+							     IKEV2_ERROR_NO_BUFF_SPACE,
+							     1);
 			    }
 			  else
 			    {
@@ -2738,7 +2884,7 @@
 		    pool_elt_at_index (km->per_thread_data[thread_index].sas,
 				       p[0]);
 
-		  slen = ikev2_retransmit_resp (sa0, ike0, rlen);
+		  slen = ikev2_retransmit_resp (sa0, ike0);
 		  if (slen)
 		    {
 		      vlib_node_increment_counter (vm, ikev2_node.index,
@@ -2752,8 +2898,13 @@
 		    }
 
 		  sa0->dst_port = clib_net_to_host_u16 (udp0->src_port);
-		  ikev2_process_auth_req (vm, sa0, ike0, rlen);
-		  ikev2_sa_auth (sa0);
+		  res = ikev2_process_auth_req (vm, sa0, ike0, rlen);
+		  if (res)
+		    ikev2_sa_auth (sa0);
+		  else
+		    vlib_node_increment_counter (vm, ikev2_node.index,
+						 IKEV2_ERROR_MALFORMED_PACKET,
+						 1);
 		  if (sa0->state == IKEV2_STATE_AUTHENTICATED)
 		    {
 		      ikev2_initial_contact_cleanup (sa0);
@@ -2770,7 +2921,11 @@
 		    }
 		  else
 		    {
-		      slen = ikev2_generate_message (sa0, ike0, 0, udp0);
+		      slen = ikev2_generate_message (b0, sa0, ike0, 0, udp0);
+		      if (~0 == slen)
+			vlib_node_increment_counter (vm, ikev2_node.index,
+						     IKEV2_ERROR_NO_BUFF_SPACE,
+						     1);
 		    }
 		}
 	    }
@@ -2785,7 +2940,7 @@
 		    pool_elt_at_index (km->per_thread_data[thread_index].sas,
 				       p[0]);
 
-		  slen = ikev2_retransmit_resp (sa0, ike0, rlen);
+		  slen = ikev2_retransmit_resp (sa0, ike0);
 		  if (slen)
 		    {
 		      vlib_node_increment_counter (vm, ikev2_node.index,
@@ -2798,7 +2953,16 @@
 		      goto dispatch0;
 		    }
 
-		  ikev2_process_informational_req (vm, sa0, ike0, rlen);
+		  res = ikev2_process_informational_req (vm, sa0, ike0, rlen);
+		  if (!res)
+		    {
+		      vlib_node_increment_counter (vm, ikev2_node.index,
+						   IKEV2_ERROR_MALFORMED_PACKET,
+						   1);
+		      slen = ~0;
+		      goto dispatch0;
+		    }
+
 		  if (sa0->del)
 		    {
 		      if (sa0->del[0].protocol_id != IKEV2_PROTOCOL_IKE)
@@ -2833,7 +2997,11 @@
 		  if (!(ike0->flags & IKEV2_HDR_FLAG_RESPONSE))
 		    {
 		      ike0->flags |= IKEV2_HDR_FLAG_RESPONSE;
-		      slen = ikev2_generate_message (sa0, ike0, 0, udp0);
+		      slen = ikev2_generate_message (b0, sa0, ike0, 0, udp0);
+		      if (~0 == slen)
+			vlib_node_increment_counter (vm, ikev2_node.index,
+						     IKEV2_ERROR_NO_BUFF_SPACE,
+						     1);
 		    }
 		}
 	    }
@@ -2848,7 +3016,7 @@
 		    pool_elt_at_index (km->per_thread_data[thread_index].sas,
 				       p[0]);
 
-		  slen = ikev2_retransmit_resp (sa0, ike0, rlen);
+		  slen = ikev2_retransmit_resp (sa0, ike0);
 		  if (slen)
 		    {
 		      vlib_node_increment_counter (vm, ikev2_node.index,
@@ -2861,7 +3029,17 @@
 		      goto dispatch0;
 		    }
 
-		  ikev2_process_create_child_sa_req (vm, sa0, ike0, rlen);
+		  res = ikev2_process_create_child_sa_req (vm, sa0,
+							   ike0, rlen);
+		  if (!res)
+		    {
+		      vlib_node_increment_counter (vm, ikev2_node.index,
+						   IKEV2_ERROR_MALFORMED_PACKET,
+						   1);
+		      slen = ~0;
+		      goto dispatch0;
+		    }
+
 		  if (sa0->rekey)
 		    {
 		      if (sa0->rekey[0].protocol_id != IKEV2_PROTOCOL_IKE)
@@ -2886,7 +3064,12 @@
 			}
 		      else
 			{
-			  slen = ikev2_generate_message (sa0, ike0, 0, udp0);
+			  slen =
+			    ikev2_generate_message (b0, sa0, ike0, 0, udp0);
+			  if (~0 == slen)
+			    vlib_node_increment_counter (vm, ikev2_node.index,
+							 IKEV2_ERROR_NO_BUFF_SPACE,
+							 1);
 			}
 		    }
 		}
@@ -2957,13 +3140,12 @@
 
 	      ikev2_delete_sa (sa0);
 	    }
-	  sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
-
 	  if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
 			     && (b0->flags & VLIB_BUFFER_IS_TRACED)))
 	    {
+
 	      ikev2_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t));
-	      t->sw_if_index = sw_if_index0;
+	      t->sw_if_index = vnet_buffer (b0)->sw_if_index[VLIB_RX];
 	      t->next_index = next0;
 	    }
 
@@ -3187,16 +3369,15 @@
 }
 
 static u32
-ikev2_get_new_ike_header_buff (vlib_main_t * vm, ike_header_t ** ike)
+ikev2_get_new_ike_header_buff (vlib_main_t * vm, vlib_buffer_t ** b)
 {
   u32 bi0;
   if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
     {
-      *ike = 0;
+      *b = 0;
       return 0;
     }
-  vlib_buffer_t *b0 = vlib_get_buffer (vm, bi0);
-  *ike = vlib_buffer_get_current (b0);
+  *b = vlib_get_buffer (vm, bi0);
   return bi0;
 }
 
@@ -3273,19 +3454,21 @@
 {
   ikev2_main_t *km = &ikev2_main;
   ip4_address_t *src, *dst;
+  vlib_buffer_t *b0;
 
   /* Create the Initiator notification for IKE SA removal */
   ike_header_t *ike0;
   u32 bi0 = 0;
   int len;
 
-  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
+  bi0 = ikev2_get_new_ike_header_buff (vm, &b0);
   if (!bi0)
     {
       ikev2_log_error ("buffer alloc failure");
       return;
     }
 
+  ike0 = vlib_buffer_get_current (b0);
   ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
   ike0->ispi = clib_host_to_net_u64 (sa->ispi);
   ike0->rspi = clib_host_to_net_u64 (sa->rspi);
@@ -3294,7 +3477,9 @@
   sa->del->spi = sa->ispi;
   ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
   sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
-  len = ikev2_generate_message (sa, ike0, 0, 0);
+  len = ikev2_generate_message (b0, sa, ike0, 0, 0);
+  if (~0 == len)
+    return;
 
   if (sa->is_initiator)
     {
@@ -3702,6 +3887,7 @@
 
   /* Create the Initiator Request */
   {
+    vlib_buffer_t *b0;
     ike_header_t *ike0;
     u32 bi0 = 0;
     ip_lookup_main_t *lm = &im->lookup_main;
@@ -3715,13 +3901,14 @@
       pool_elt_at_index (lm->if_address_pool, if_add_index0);
     ip4_address_t *if_ip = ip_interface_address_get_address (lm, if_add);
 
-    bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
+    bi0 = ikev2_get_new_ike_header_buff (vm, &b0);
     if (!bi0)
       {
 	char *errmsg = "buffer alloc failure";
 	ikev2_log_error (errmsg);
 	return clib_error_return (0, errmsg);
       }
+    ike0 = vlib_buffer_get_current (b0);
 
     /* Prepare the SA and the IKE payload */
     ikev2_sa_t sa;
@@ -3849,15 +4036,17 @@
   ikev2_main_t *km = &ikev2_main;
   ike_header_t *ike0;
   u32 bi0 = 0;
+  vlib_buffer_t *b0;
   int len;
 
-  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
+  bi0 = ikev2_get_new_ike_header_buff (vm, &b0);
   if (!bi0)
     {
       ikev2_log_error ("buffer alloc failure");
       return;
     }
 
+  ike0 = vlib_buffer_get_current (b0);
   ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
   ike0->ispi = clib_host_to_net_u64 (sa->ispi);
   ike0->rspi = clib_host_to_net_u64 (sa->rspi);
@@ -3866,7 +4055,10 @@
   sa->del->spi = csa->i_proposals->spi;
   ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
   sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
-  len = ikev2_generate_message (sa, ike0, 0, 0);
+  len = ikev2_generate_message (b0, sa, ike0, 0, 0);
+  if (~0 == len)
+    return;
+
   if (sa->natt)
     len = ikev2_insert_non_esp_marker (ike0, len);
   ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len,
@@ -3960,16 +4152,18 @@
 {
   /* Create the Initiator request for create child SA */
   ike_header_t *ike0;
+  vlib_buffer_t *b0;
   u32 bi0 = 0;
   int len;
 
-  bi0 = ikev2_get_new_ike_header_buff (vm, &ike0);
+  bi0 = ikev2_get_new_ike_header_buff (vm, &b0);
   if (!bi0)
     {
       ikev2_log_error ("buffer alloc failure");
       return;
     }
 
+  ike0 = vlib_buffer_get_current (b0);
   ike0->version = IKE_VERSION_2;
   ike0->flags = IKEV2_HDR_FLAG_INITIATOR;
   ike0->exchange = IKEV2_EXCHANGE_CREATE_CHILD_SA;
@@ -3986,7 +4180,10 @@
   RAND_bytes ((u8 *) & proposals[0].spi, sizeof (proposals[0].spi));
   rekey->spi = proposals[0].spi;
   rekey->ispi = csa->i_proposals->spi;
-  len = ikev2_generate_message (sa, ike0, proposals, 0);
+  len = ikev2_generate_message (b0, sa, ike0, proposals, 0);
+  if (~0 == len)
+    return;
+
   if (sa->natt)
     len = ikev2_insert_non_esp_marker (ike0, len);
   ikev2_send_ike (vm, &sa->iaddr, &sa->raddr, bi0, len,
@@ -4297,23 +4494,28 @@
   ikev2_main_t *km = &ikev2_main;
   ip4_address_t *src, *dst;
   ike_header_t *ike0;
+  vlib_buffer_t *b0;
   u32 bi0 = 0;
   u16 dp;
   int len;
 
-  bi0 = ikev2_get_new_ike_header_buff (km->vlib_main, &ike0);
+  bi0 = ikev2_get_new_ike_header_buff (km->vlib_main, &b0);
   if (!bi0)
     {
       ikev2_log_error ("buffer alloc failure");
       return;
     }
 
+  ike0 = vlib_buffer_get_current (b0);
   ike0->exchange = IKEV2_EXCHANGE_INFORMATIONAL;
   ike0->ispi = clib_host_to_net_u64 (sa->ispi);
   ike0->rspi = clib_host_to_net_u64 (sa->rspi);
   ike0->msgid = clib_host_to_net_u32 (sa->last_init_msg_id + 1);
   sa->last_init_msg_id = clib_net_to_host_u32 (ike0->msgid);
-  len = ikev2_generate_message (sa, ike0, 0, 0);
+  len = ikev2_generate_message (b0, sa, ike0, 0, 0);
+  if (~0 == len)
+    return;
+
   if (sa->natt)
     len = ikev2_insert_non_esp_marker (ike0, len);
 
diff --git a/src/plugins/ikev2/ikev2.h b/src/plugins/ikev2/ikev2.h
index d435179..36ac85a 100644
--- a/src/plugins/ikev2/ikev2.h
+++ b/src/plugins/ikev2/ikev2.h
@@ -45,13 +45,14 @@
 /* *INDENT-ON* */
 
 /* *INDENT-OFF* */
-typedef CLIB_PACKED (struct
-		     {
-		     u8 nextpayload;
-		     u8 flags;
-		     u16 length;
-		     u16 dh_group;
-		     u8 reserved[2]; u8 payload[0];}) ike_ke_payload_header_t;
+typedef CLIB_PACKED (struct {
+  u8 nextpayload;
+  u8 flags;
+  u16 length;
+  u16 dh_group;
+  u8 reserved[2];
+  u8 payload[0];
+}) ike_ke_payload_header_t;
 /* *INDENT-ON* */
 
 /* *INDENT-OFF* */
diff --git a/src/plugins/ikev2/ikev2_crypto.c b/src/plugins/ikev2/ikev2_crypto.c
index 013857d..f5080ed 100644
--- a/src/plugins/ikev2/ikev2_crypto.c
+++ b/src/plugins/ikev2/ikev2_crypto.c
@@ -349,10 +349,11 @@
   clib_memcpy (nonce + IKEV2_GCM_SALT_SIZE, iv, IKEV2_GCM_IV_SIZE);
 }
 
-u8 *
+int
 ikev2_decrypt_aead_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
 			 ikev2_sa_transform_t * tr_encr, u8 * data,
-			 int data_len, u8 * aad, u32 aad_len, u8 * tag)
+			 int data_len, u8 * aad, u32 aad_len, u8 * tag,
+			 u32 * out_len)
 {
   EVP_CIPHER_CTX *ctx = ptd->evp_ctx;
   int len = 0;
@@ -369,34 +370,33 @@
 
   data += IKEV2_GCM_IV_SIZE;
   data_len -= IKEV2_GCM_IV_SIZE;
-  v8 *r = vec_new (u8, data_len);
 
   EVP_DecryptInit_ex (ctx, tr_encr->cipher, 0, 0, 0);
   EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, 12, 0);
   EVP_DecryptInit_ex (ctx, 0, 0, key, nonce);
   EVP_DecryptUpdate (ctx, 0, &len, aad, aad_len);
-  EVP_DecryptUpdate (ctx, r, &len, data, data_len);
+  EVP_DecryptUpdate (ctx, data, &len, data, data_len);
   EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_TAG, IKEV2_GCM_ICV_SIZE, tag);
 
-  if (EVP_DecryptFinal_ex (ctx, r + len, &len) > 0)
+  if (EVP_DecryptFinal_ex (ctx, data + len, &len) > 0)
     {
-      /* remove padding */
-      _vec_len (r) -= r[vec_len (r) - 1] + 1;
-      return r;
+      *out_len = data_len - data[data_len - 1] - 1;
+      return 1;
     }
 
-  vec_free (r);
   return 0;
 }
 
-v8 *
+int
 ikev2_decrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
-		    ikev2_sa_transform_t * tr_encr, u8 * data, int len)
+		    ikev2_sa_transform_t * tr_encr, u8 * data, int len,
+		    u32 * out_len)
 {
   EVP_CIPHER_CTX *ctx = ptd->evp_ctx;
-  int out_len = 0, block_size;
+  int tmp_len = 0, block_size;
   u8 *key = sa->is_initiator ? sa->sk_er : sa->sk_ei;
   block_size = tr_encr->block_size;
+  u8 *iv = data;
 
   /* check if data is multiplier of cipher block size */
   if (len % block_size)
@@ -404,15 +404,20 @@
       ikev2_elog_error ("wrong data length");
       return 0;
     }
+  data += block_size;
+  len -= block_size;
 
-  v8 *r = vec_new (u8, len - block_size);
-  EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, data);
-  EVP_DecryptUpdate (ctx, r, &out_len, data + block_size, len - block_size);
-  EVP_DecryptFinal_ex (ctx, r + out_len, &out_len);
-  /* remove padding */
-  _vec_len (r) -= r[vec_len (r) - 1] + 1;
+  EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, iv);
+  EVP_CIPHER_CTX_set_padding (ctx, 0);
+  EVP_DecryptUpdate (ctx, data, &tmp_len, data, len);
 
-  return r;
+  if (EVP_DecryptFinal_ex (ctx, data + tmp_len, &tmp_len) > 0)
+    {
+      *out_len = len - data[len - 1] - 1;
+      return 1;
+    }
+
+  return 0;
 }
 
 int
@@ -424,6 +429,8 @@
   int out_len = 0, len = 0;
   u8 nonce[IKEV2_GCM_NONCE_SIZE];
   u8 *key = sa->is_initiator ? sa->sk_ei : sa->sk_er;
+  if (!key)
+    return 0;
 
   /* generate IV; its length must be 8 octets for aes-gcm (rfc5282) */
   RAND_bytes (dst, IKEV2_GCM_IV_SIZE);
@@ -452,6 +459,8 @@
   int out_len = 0, len = 0;
   int bs = tr_encr->block_size;
   u8 *key = sa->is_initiator ? sa->sk_ei : sa->sk_er;
+  if (!key)
+    return 0;
 
   /* generate IV */
   u8 *iv = dst;
diff --git a/src/plugins/ikev2/ikev2_payload.c b/src/plugins/ikev2/ikev2_payload.c
index 56bb652..b7d7098 100644
--- a/src/plugins/ikev2/ikev2_payload.c
+++ b/src/plugins/ikev2/ikev2_payload.c
@@ -327,22 +327,27 @@
 }
 
 ikev2_sa_proposal_t *
-ikev2_parse_sa_payload (ike_payload_header_t * ikep)
+ikev2_parse_sa_payload (ike_payload_header_t * ikep, u32 rlen)
 {
   ikev2_sa_proposal_t *v = 0;
   ikev2_sa_proposal_t *proposal;
   ikev2_sa_transform_t *transform;
 
   u32 plen = clib_net_to_host_u16 (ikep->length);
-
   ike_sa_proposal_data_t *sap;
   int proposal_ptr = 0;
 
+  if (sizeof (*ikep) > rlen)
+    return 0;
+
+  rlen -= sizeof (*ikep);
   do
     {
+      if (proposal_ptr + sizeof (*sap) > rlen)
+        goto data_corrupted;
+
       sap = (ike_sa_proposal_data_t *) & ikep->payload[proposal_ptr];
-      int i;
-      int transform_ptr;
+      int i, transform_ptr;
 
       /* IKE proposal should not have SPI */
       if (sap->protocol_id == IKEV2_PROTOCOL_IKE && sap->spi_size != 0)
@@ -353,6 +358,8 @@
 	goto data_corrupted;
 
       transform_ptr = proposal_ptr + sizeof (*sap) + sap->spi_size;
+      if (transform_ptr > rlen)
+        goto data_corrupted;
 
       vec_add2 (v, proposal, 1);
       proposal->proposal_num = sap->proposal_num;
@@ -366,7 +373,9 @@
       for (i = 0; i < sap->num_transforms; i++)
 	{
 	  ike_sa_transform_data_t *tr =
-	    (ike_sa_transform_data_t *) & ikep->payload[transform_ptr];
+            (ike_sa_transform_data_t *) & ikep->payload[transform_ptr];
+          if (transform_ptr + sizeof (*tr) > rlen)
+            goto data_corrupted;
 	  u16 tlen = clib_net_to_host_u16 (tr->transform_len);
 
 	  if (tlen < sizeof (*tr))
@@ -376,9 +385,11 @@
 
 	  transform->type = tr->transform_type;
 	  transform->transform_id = clib_net_to_host_u16 (tr->transform_id);
+          if (transform_ptr + tlen > rlen)
+            goto data_corrupted;
 	  if (tlen > sizeof (*tr))
 	    vec_add (transform->attrs, tr->attributes, tlen - sizeof (*tr));
-	  transform_ptr += tlen;
+          transform_ptr += tlen;
 	}
 
       proposal_ptr += clib_net_to_host_u16 (sap->proposal_len);
@@ -398,12 +409,18 @@
 }
 
 ikev2_ts_t *
-ikev2_parse_ts_payload (ike_payload_header_t * ikep)
+ikev2_parse_ts_payload (ike_payload_header_t * ikep, u32 rlen)
 {
   ike_ts_payload_header_t *tsp = (ike_ts_payload_header_t *) ikep;
   ikev2_ts_t *r = 0, *ts;
   u8 i;
 
+  if (sizeof (*tsp) > rlen)
+    return 0;
+
+  if (sizeof (*tsp) + tsp->num_ts * sizeof (ikev2_ts_payload_entry_t) > rlen)
+    return 0;
+
   for (i = 0; i < tsp->num_ts; i++)
     {
       if (tsp->ts[i].ts_type != 7)	/*  TS_IPV4_ADDR_RANGE */
@@ -425,19 +442,25 @@
 }
 
 ikev2_notify_t *
-ikev2_parse_notify_payload (ike_payload_header_t * ikep)
+ikev2_parse_notify_payload (ike_payload_header_t * ikep, u32 rlen)
 {
   ike_notify_payload_header_t *n = (ike_notify_payload_header_t *) ikep;
-  u32 plen = clib_net_to_host_u16 (ikep->length);
+  u32 plen = clib_net_to_host_u16 (n->length);
   ikev2_notify_t *r = 0;
   u32 spi;
 
+  if (sizeof (*n) > rlen)
+    return 0;
+
   r = vec_new (ikev2_notify_t, 1);
   r->msg_type = clib_net_to_host_u16 (n->msg_type);
   r->protocol_id = n->protocol_id;
 
   if (n->spi_size == 4)
     {
+      if (sizeof (spi) + sizeof (*n) > rlen)
+        goto cleanup;
+
       clib_memcpy (&spi, n->payload, n->spi_size);
       r->spi = clib_net_to_host_u32 (spi);
     }
@@ -448,15 +471,22 @@
   else
     {
       clib_warning ("invalid SPI Size %d", n->spi_size);
+      goto cleanup;
     }
 
   if (plen > (sizeof (*n) + n->spi_size))
     {
-      vec_add (r->data, n->payload + n->spi_size,
-	       plen - sizeof (*n) - n->spi_size);
-    }
+      if (plen <= sizeof (*n) + n->spi_size)
+        goto cleanup;
 
+      u32 data_len = plen - sizeof (*n) - n->spi_size;
+      vec_add (r->data, n->payload + n->spi_size, data_len);
+    }
   return r;
+
+cleanup:
+  vec_free (r);
+  return 0;
 }
 
 void
@@ -467,13 +497,16 @@
 }
 
 ikev2_delete_t *
-ikev2_parse_delete_payload (ike_payload_header_t * ikep)
+ikev2_parse_delete_payload (ike_payload_header_t * ikep, u32 rlen)
 {
-  ike_delete_payload_header_t *d = (ike_delete_payload_header_t *) ikep;
+  ike_delete_payload_header_t * d = (ike_delete_payload_header_t *) ikep;
   ikev2_delete_t *r = 0, *del;
-  u16 num_of_spi = clib_net_to_host_u16 (d->num_of_spi);
-  u16 i = 0;
+  u16 i, num_of_spi;
 
+  if (rlen < sizeof (*d))
+    return 0;
+
+  num_of_spi = clib_net_to_host_u16 (d->num_of_spi);
   if (d->protocol_id == IKEV2_PROTOCOL_IKE)
     {
       r = vec_new (ikev2_delete_t, 1);
@@ -481,11 +514,14 @@
     }
   else
     {
-      r = vec_new (ikev2_delete_t, num_of_spi);
-      vec_foreach (del, r)
+      if (sizeof (*d) + num_of_spi * sizeof (u32) > rlen)
+        return 0;
+
+      for (i = 0; i < num_of_spi; i++)
       {
-	del->protocol_id = d->protocol_id;
-	del->spi = clib_net_to_host_u32 (d->spi[i++]);
+        vec_add2 (r, del, 1);
+        del->protocol_id = d->protocol_id;
+	del->spi = clib_net_to_host_u32 (d->spi[i]);
       }
     }
 
diff --git a/src/plugins/ikev2/ikev2_priv.h b/src/plugins/ikev2/ikev2_priv.h
index f8b0458..f6f9989 100644
--- a/src/plugins/ikev2/ikev2_priv.h
+++ b/src/plugins/ikev2/ikev2_priv.h
@@ -522,18 +522,19 @@
 			int len);
 v8 *ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data,
 		       int len);
-v8 *ikev2_decrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
-			ikev2_sa_transform_t * tr_encr, u8 * data, int len);
+int ikev2_decrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
+			ikev2_sa_transform_t * tr_encr, u8 * data, int len,
+			u32 * out_len);
 int ikev2_encrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
 			ikev2_sa_transform_t * tr_encr, v8 * src, u8 * dst);
 int ikev2_encrypt_aead_data (ikev2_main_per_thread_data_t * ptd,
 			     ikev2_sa_t * sa, ikev2_sa_transform_t * tr_encr,
 			     v8 * src, u8 * dst, u8 * aad,
 			     u32 aad_len, u8 * tag);
-u8 *ikev2_decrypt_aead_data (ikev2_main_per_thread_data_t * ptd,
+int ikev2_decrypt_aead_data (ikev2_main_per_thread_data_t * ptd,
 			     ikev2_sa_t * sa, ikev2_sa_transform_t * tr_encr,
 			     u8 * data, int data_len, u8 * aad, u32 aad_len,
-			     u8 * tag);
+			     u8 * tag, u32 * out_len);
 void ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t);
 void ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t);
 int ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data);
@@ -573,10 +574,13 @@
 void ikev2_payload_add_delete (ikev2_payload_chain_t * c, ikev2_delete_t * d);
 void ikev2_payload_chain_add_padding (ikev2_payload_chain_t * c, int bs);
 void ikev2_parse_vendor_payload (ike_payload_header_t * ikep);
-ikev2_sa_proposal_t *ikev2_parse_sa_payload (ike_payload_header_t * ikep);
-ikev2_ts_t *ikev2_parse_ts_payload (ike_payload_header_t * ikep);
-ikev2_delete_t *ikev2_parse_delete_payload (ike_payload_header_t * ikep);
-ikev2_notify_t *ikev2_parse_notify_payload (ike_payload_header_t * ikep);
+ikev2_sa_proposal_t *ikev2_parse_sa_payload (ike_payload_header_t * ikep,
+					     u32 rlen);
+ikev2_ts_t *ikev2_parse_ts_payload (ike_payload_header_t * ikep, u32 rlen);
+ikev2_delete_t *ikev2_parse_delete_payload (ike_payload_header_t * ikep,
+					    u32 rlen);
+ikev2_notify_t *ikev2_parse_notify_payload (ike_payload_header_t * ikep,
+					    u32 rlen);
 int ikev2_set_log_level (ikev2_log_level_t log_level);
 
 static_always_inline ikev2_main_per_thread_data_t *
diff --git a/src/plugins/ikev2/test/test_ikev2.py b/src/plugins/ikev2/test/test_ikev2.py
index 6116ebb..0bdc417 100644
--- a/src/plugins/ikev2/test/test_ikev2.py
+++ b/src/plugins/ikev2/test/test_ikev2.py
@@ -114,7 +114,7 @@
     def pad(self, data):
         pad_len = (len(data) // self.bs + 1) * self.bs - len(data)
         data = data + b'\x00' * (pad_len - 1)
-        return data + bytes([pad_len])
+        return data + bytes([pad_len - 1])
 
 
 class AuthAlgo(object):
@@ -167,6 +167,7 @@
         else:
             self.sport = 500
             self.dport = 500
+        self.msg_id = 0
         self.dh_params = None
         self.test = test
         self.priv_key = priv_key
@@ -190,6 +191,10 @@
             self.r_nonce = None
         self.child_sas = [IKEv2ChildSA(local_ts, remote_ts)]
 
+    def new_msg_id(self):
+        self.msg_id += 1
+        return self.msg_id
+
     def dh_pub_key(self):
         return self.i_dh_data
 
@@ -502,10 +507,35 @@
 
     def tearDown(self):
         super(TemplateResponder, self).tearDown()
+        if self.sa.is_initiator:
+            self.initiate_del_sa()
+            r = self.vapi.ikev2_sa_dump()
+            self.assertEqual(len(r), 0)
+
         self.p.remove_vpp_config()
         self.assertIsNone(self.p.query_vpp_config())
 
-    def create_ike_msg(self, src_if, msg, sport=500, dport=500, natt=False):
+    def verify_del_sa(self, packet):
+        ih = self.get_ike_header(packet)
+        self.assertEqual(ih.id, self.sa.msg_id)
+        self.assertEqual(ih.exch_type, 37)  # exchange informational
+
+    def initiate_del_sa(self):
+        header = ikev2.IKEv2(init_SPI=self.sa.ispi, resp_SPI=self.sa.rspi,
+                             flags='Initiator', exch_type='INFORMATIONAL',
+                             id=self.sa.new_msg_id())
+        del_sa = ikev2.IKEv2_payload_Delete(proto='IKEv2')
+        ike_msg = self.encrypt_ike_msg(header, del_sa, 'Delete')
+        packet = self.create_packet(self.pg0, ike_msg,
+                                    self.sa.sport, self.sa.dport,
+                                    self.sa.natt)
+        self.pg0.add_stream(packet)
+        self.pg0.enable_capture()
+        self.pg_start()
+        capture = self.pg0.get_capture(1)
+        self.verify_del_sa(capture[0])
+
+    def create_packet(self, src_if, msg, sport=500, dport=500, natt=False):
         res = (Ether(dst=src_if.local_mac, src=src_if.remote_mac) /
                IP(src=src_if.remote_ip4, dst=src_if.local_ip4) /
                UDP(sport=sport, dport=dport))
@@ -552,15 +582,49 @@
                     load=src_nat)
             self.sa.init_req_packet = self.sa.init_req_packet / nat_detection
 
-        ike_msg = self.create_ike_msg(self.pg0, self.sa.init_req_packet,
-                                      self.sa.sport, self.sa.dport,
-                                      self.sa.natt)
+        ike_msg = self.create_packet(self.pg0, self.sa.init_req_packet,
+                                     self.sa.sport, self.sa.dport,
+                                     self.sa.natt)
         self.pg0.add_stream(ike_msg)
         self.pg0.enable_capture()
         self.pg_start()
         capture = self.pg0.get_capture(1)
         self.verify_sa_init(capture[0])
 
+    def encrypt_ike_msg(self, header, plain, first_payload):
+        if self.sa.ike_crypto == 'AES-GCM-16ICV':
+            data = self.sa.ike_crypto_alg.pad(raw(plain))
+            plen = len(data) + GCM_IV_SIZE + GCM_ICV_SIZE +\
+                len(ikev2.IKEv2_payload_Encrypted())
+            tlen = plen + len(ikev2.IKEv2())
+
+            # prepare aad data
+            sk_p = ikev2.IKEv2_payload_Encrypted(next_payload=first_payload,
+                                                 length=plen)
+            header.length = tlen
+            res = header / sk_p
+            encr = self.sa.encrypt(raw(plain), raw(res))
+            sk_p = ikev2.IKEv2_payload_Encrypted(next_payload=first_payload,
+                                                 length=plen, load=encr)
+            res = header / sk_p
+        else:
+            encr = self.sa.encrypt(raw(plain))
+            trunc_len = self.sa.ike_integ_alg.trunc_len
+            plen = len(encr) + len(ikev2.IKEv2_payload_Encrypted()) + trunc_len
+            tlen = plen + len(ikev2.IKEv2())
+
+            sk_p = ikev2.IKEv2_payload_Encrypted(next_payload=first_payload,
+                                                 length=plen, load=encr)
+            header.length = tlen
+            res = header / sk_p
+
+            integ_data = raw(res)
+            hmac_data = self.sa.compute_hmac(self.sa.ike_integ_alg.mod(),
+                                             self.sa.my_authkey, integ_data)
+            res = res / Raw(hmac_data[:trunc_len])
+        assert(len(res) == tlen)
+        return res
+
     def send_sa_auth(self):
         tr_attr = self.sa.esp_crypto_attr()
         trans = (ikev2.IKEv2_payload_Transform(transform_type='Encryption',
@@ -595,48 +659,14 @@
                  traffic_selector=tsr) /
                  ikev2.IKEv2_payload_Notify(type='INITIAL_CONTACT'))
 
-        if self.sa.ike_crypto == 'AES-GCM-16ICV':
-            data = self.sa.ike_crypto_alg.pad(raw(plain))
-            plen = len(data) + GCM_IV_SIZE + GCM_ICV_SIZE +\
-                len(ikev2.IKEv2_payload_Encrypted())
-            tlen = plen + len(ikev2.IKEv2())
+        header = ikev2.IKEv2(
+                init_SPI=self.sa.ispi,
+                resp_SPI=self.sa.rspi, id=self.sa.new_msg_id(),
+                flags='Initiator', exch_type='IKE_AUTH')
 
-            # prepare aad data
-            sk_p = ikev2.IKEv2_payload_Encrypted(next_payload='IDi',
-                                                 length=plen)
-            sa_auth = (ikev2.IKEv2(init_SPI=self.sa.ispi,
-                       resp_SPI=self.sa.rspi, id=1,
-                       length=tlen, flags='Initiator', exch_type='IKE_AUTH'))
-            sa_auth /= sk_p
-
-            encr = self.sa.encrypt(raw(plain), raw(sa_auth))
-            sk_p = ikev2.IKEv2_payload_Encrypted(next_payload='IDi',
-                                                 length=plen, load=encr)
-            sa_auth = (ikev2.IKEv2(init_SPI=self.sa.ispi,
-                       resp_SPI=self.sa.rspi, id=1,
-                       length=tlen, flags='Initiator', exch_type='IKE_AUTH'))
-            sa_auth /= sk_p
-        else:
-            encr = self.sa.encrypt(raw(plain))
-            trunc_len = self.sa.ike_integ_alg.trunc_len
-            plen = len(encr) + len(ikev2.IKEv2_payload_Encrypted()) + trunc_len
-            tlen = plen + len(ikev2.IKEv2())
-
-            sk_p = ikev2.IKEv2_payload_Encrypted(next_payload='IDi',
-                                                 length=plen, load=encr)
-            sa_auth = (ikev2.IKEv2(init_SPI=self.sa.ispi,
-                       resp_SPI=self.sa.rspi, id=1,
-                       length=tlen, flags='Initiator', exch_type='IKE_AUTH'))
-            sa_auth /= sk_p
-
-            integ_data = raw(sa_auth)
-            hmac_data = self.sa.compute_hmac(self.sa.ike_integ_alg.mod(),
-                                             self.sa.my_authkey, integ_data)
-            sa_auth = sa_auth / Raw(hmac_data[:trunc_len])
-
-        assert(len(sa_auth) == tlen)
-        packet = self.create_ike_msg(self.pg0, sa_auth, self.sa.sport,
-                                     self.sa.dport, self.sa.natt)
+        ike_msg = self.encrypt_ike_msg(header, plain, 'IDi')
+        packet = self.create_packet(self.pg0, ike_msg, self.sa.sport,
+                                    self.sa.dport, self.sa.natt)
         self.pg0.add_stream(packet)
         self.pg0.enable_capture()
         self.pg_start()
@@ -656,6 +686,7 @@
     def verify_sa_init(self, packet):
         ih = self.get_ike_header(packet)
 
+        self.assertEqual(ih.id, self.sa.msg_id)
         self.assertEqual(ih.exch_type, 34)
         self.assertTrue('Response' in ih.flags)
         self.assertEqual(ih.init_SPI, self.sa.ispi)
@@ -691,6 +722,7 @@
         ike = self.get_ike_header(packet)
         udp = packet[UDP]
         self.verify_udp(udp)
+        self.assertEqual(ike.id, self.sa.msg_id)
         plain = self.sa.hmac_and_decrypt(ike)
         self.sa.calc_child_keys()
 
@@ -1123,5 +1155,43 @@
             'ike-dh': '2048MODPgr'})
 
 
+class TestMalformedMessages(TemplateResponder, Ikev2Params):
+    """ malformed packet test """
+
+    def tearDown(self):
+        pass
+
+    def config_tc(self):
+        self.config_params()
+
+    def assert_counter(self, count, name):
+        node_name = '/err/ikev2/' + name
+        self.assertEqual(count, self.statistics.get_err_counter(node_name))
+
+    def create_ike_init_msg(self, length=None, payload=None):
+        msg = ikev2.IKEv2(length=length, init_SPI='\x11' * 8,
+                          flags='Initiator', exch_type='IKE_SA_INIT')
+        if payload is not None:
+            msg /= payload
+        return self.create_packet(self.pg0, msg, self.sa.sport,
+                                  self.sa.dport)
+
+    def verify_bad_packet_length(self):
+        ike_msg = self.create_ike_init_msg(length=0xdead)
+        self.send_and_assert_no_replies(self.pg0, ike_msg * self.pkt_count)
+        self.assert_counter(self.pkt_count, 'Bad packet length')
+
+    def verify_bad_sa_payload_length(self):
+        p = ikev2.IKEv2_payload_SA(length=0xdead)
+        ike_msg = self.create_ike_init_msg(payload=p)
+        self.send_and_assert_no_replies(self.pg0, ike_msg * self.pkt_count)
+        self.assert_counter(self.pkt_count, 'Malformed packet')
+
+    def test_responder(self):
+        self.pkt_count = 254
+        self.verify_bad_packet_length()
+        self.verify_bad_sa_payload_length()
+
+
 if __name__ == '__main__':
     unittest.main(testRunner=VppTestRunner)
diff --git a/src/plugins/ikev2/test/vpp_ikev2.py b/src/plugins/ikev2/test/vpp_ikev2.py
index 5a2a51e..b3339d0 100644
--- a/src/plugins/ikev2/test/vpp_ikev2.py
+++ b/src/plugins/ikev2/test/vpp_ikev2.py
@@ -115,19 +115,19 @@
                                            **self.remote_id)
         if hasattr(self, 'local_ts'):
             self.vapi.ikev2_profile_set_ts(name=self.profile_name,
-                                           ts={**self.local_ts})
+                                           ts=self.local_ts)
 
         if hasattr(self, 'remote_ts'):
             self.vapi.ikev2_profile_set_ts(name=self.profile_name,
-                                           ts={**self.remote_ts})
+                                           ts=self.remote_ts)
 
         if hasattr(self, 'responder'):
             self.vapi.ikev2_set_responder(name=self.profile_name,
-                                          responder={**self.responder})
+                                          responder=self.responder)
 
         if hasattr(self, 'ike_transforms'):
             self.vapi.ikev2_set_ike_transforms(name=self.profile_name,
-                                               tr={**self.ike_transforms})
+                                               tr=self.ike_transforms)
 
         if hasattr(self, 'esp_transforms'):
             self.vapi.ikev2_set_esp_transforms(name=self.profile_name,
diff --git a/test/patches/scapy-2.4.3/ikev2.patch b/test/patches/scapy-2.4.3/ikev2.patch
new file mode 100644
index 0000000..be143e8
--- /dev/null
+++ b/test/patches/scapy-2.4.3/ikev2.patch
@@ -0,0 +1,24 @@
+diff --git a/scapy/contrib/ikev2.py b/scapy/contrib/ikev2.py
+index 60b20480..a071ffc7 100644
+--- a/scapy/contrib/ikev2.py
++++ b/scapy/contrib/ikev2.py
+@@ -608,13 +608,16 @@ class IKEv2_payload_TSr(IKEv2_class):
+ 
+ 
+ class IKEv2_payload_Delete(IKEv2_class):
+-    name = "IKEv2 Vendor ID"
++    name = "IKEv2 delete payload"
+     overload_fields = {IKEv2: {"next_payload": 42}}
+     fields_desc = [
+         ByteEnumField("next_payload", None, IKEv2_payload_type),
+         ByteField("res", 0),
+-        FieldLenField("length", None, "vendorID", "H", adjust=lambda pkt, x:x + 4),  # noqa: E501
+-        StrLenField("vendorID", "", length_from=lambda x:x.length - 4),
++        FieldLenField("length", None, "SPIs", "H", adjust=lambda pkt, x:x + 8),  # noqa: E501
++        ByteEnumField("proto", 1, {1: "IKEv2", 2: "AH", 3: "ESP"}),
++        ByteField("SPIsize", 0),
++        ShortField("SPInum", 0),
++        StrLenField("SPIs", "", length_from=lambda x: x.length - 8),
+     ]
+ 
+