New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid panic when counting IPsec keys #27996
Conversation
bc2dd28
to
edfd806
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
When executing `cilium encrypt status`, cilium-agent lists xfrm states and counts number of different AEAD keys. However, cilium-agent panics if there is any xfrm state using non-AEAD algorithm. These unexpected xfrm states could be installed by other applications. To reproduce the panic, we can manually install one by running command: ``` ip x s a src 1.1.1.1 dst 1.1.1.2 proto esp spi 0x3 reqid 1 mode tunnel enc aes 0xf0e1d2c3b4a5f60708090a0b0c0d0e0f ``` Then `cilium encrypt status` crashes. This patch fixes it. Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>
edfd806
to
3b63a5b
Compare
/test |
@jschwinger233 given this is a bugfix, should we add backport labels? And if so, how far back? |
Added backport labels for 1.12, 1.13 and 1.14 |
The right labels are "needs-backport/1.x". Fixed now. |
When executing
cilium encrypt status
, cilium-agent lists xfrm states and counts number of different AEAD keys. However, cilium-agent panics if there is any xfrm state using non-AEAD algorithm. These unexpected xfrm states could be installed by other applications.To reproduce the panic, we can manually install one by running command:
Then
cilium encrypt status
crashes.This patch fixes it.