From 0ca831f50b9e772820ef8197e04db795543526bb Mon Sep 17 00:00:00 2001 From: Bryan Boreham Date: Wed, 11 Mar 2020 12:16:11 +0000 Subject: [PATCH 1/2] Reduce pcap timeout to avoid overflow The value is passed by google/gopacket into a signed 32-bit int, so we must pick a timeout which is less than 2^31 microseconds. See https://github.com/google/gopacket/issues/708 --- router/pcap.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/router/pcap.go b/router/pcap.go index db1048c2d7..c4859277e0 100644 --- a/router/pcap.go +++ b/router/pcap.go @@ -4,10 +4,14 @@ import ( "fmt" "net" "sync" + "time" "github.com/google/gopacket/pcap" ) +// Must be less than 2^31 usec - see https://github.com/google/gopacket/issues/708 +const longTimeout = time.Duration(30 * time.Minute) + type Pcap struct { NonDiscardingFlowOp @@ -77,7 +81,7 @@ func newPcapHandle(ifName string, promisc bool, snaplen int, bufSz int) (handle if err = inactive.SetSnapLen(snaplen); err != nil { return } - if err = inactive.SetTimeout(MaxDuration); err != nil { + if err = inactive.SetTimeout(longTimeout); err != nil { return } if err = inactive.SetImmediateMode(true); err != nil { From 6bc0e5e71c9e847c42436a15372ec18c76b6ae2b Mon Sep 17 00:00:00 2001 From: Murali Reddy Date: Wed, 11 Mar 2020 21:26:09 +0530 Subject: [PATCH 2/2] send FastDatapathCryptoInitSARemote control message only if encryption is enabled Fixes #3781 --- router/fastdp.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/router/fastdp.go b/router/fastdp.go index 5f2a101b0b..a25df7d45d 100644 --- a/router/fastdp.go +++ b/router/fastdp.go @@ -694,10 +694,12 @@ func (fwd *fastDatapathForwarder) Confirm() { fwd.lock.Unlock() // unlock before calling send() which may block - if err := fwd.sendControlMsg(FastDatapathCryptoInitSARemote, controlMsg); err != nil { - log.Error(fwd.logPrefix(), "ipsec send InitSARemote failed: ", err) - fwd.handleError(err) - return + if len(controlMsg) > 0 { + if err := fwd.sendControlMsg(FastDatapathCryptoInitSARemote, controlMsg); err != nil { + log.Error(fwd.logPrefix(), "ipsec send InitSARemote failed: ", err) + fwd.handleError(err) + return + } } go fwd.doHeartbeats()