net/iavf: fix SPI check

[ upstream commit a452ff1 ] Return error if SPI from the flow spec doesn't match the one from the crypto session. Fixes: 6bc987e ("net/iavf: support IPsec inline crypto") Signed-off-by: Radu Nicolau <radu.nicolau@intel.com> Acked-by: Qi Zhang <qi.z.zhang@intel.com>
kevintraynor · Nov 7, 2022 · 4ff81b5 · 4ff81b5
1 parent 4b23fc4
commit 4ff81b5
Showing 1 changed file with 3 additions and 11 deletions.
diff --git a/drivers/net/iavf/iavf_ipsec_crypto.c b/drivers/net/iavf/iavf_ipsec_crypto.c
@@ -708,19 +708,11 @@ iavf_ipsec_crypto_action_valid(struct rte_eth_dev *ethdev,
 	if (unlikely(sess == NULL || sess->adapter != adapter))
 		return false;
 
-	/* SPI value must be non-zero */
-	if (spi == 0)
+	/* SPI value must be non-zero and must match flow SPI*/
+	if (spi == 0 || (htonl(sess->sa.spi) != spi))
 		return false;
-	/* Session SPI must patch flow SPI*/
-	else if (sess->sa.spi == spi) {
-		return true;
-		/**
-		 * TODO: We should add a way of tracking valid hw SA indices to
-		 * make validation less brittle
-		 */
-	}
 
-		return true;
+	return true;
 }
 
 /**