[Swan-dev] shared phase1 terminate crasher. Proposed fix
Paul Wouters
paul at nohats.ca
Thu Jun 23 13:32:57 UTC 2016
On github, someone suggests the following fix:
if (shared_phase1_connection(c)) {
libreswan_log("IKE SA is shared - only terminating IPsec SA");
- delete_state(state_with_serialno(c->newest_ipsec_sa));
+ struct state *st = state_with_serialno(c->newest_ipsec_sa);
+ if ( st != NULL )
+ delete_state(st);
} else {
This seems wrong. The function shared_phase1_connection() returns TRUE
if we find a state in the state table that is cloned from
c->newest_isakmp_sa but is not on our connection.
What seems to happen is that we find such a state but it is not the
state with serial c->newest_ipsec_sa, which actually does not exist?
And we pass NULL into delete_state() which causes the crash.
It is reported this is related to terminating non-established
connections, so perhaps c->newest_ipsec_sa is 0 ?
I'm wondering if the proper fix would be:
if (shared_phase1_connection(c)) {
libreswan_log("IKE SA is shared - only terminating IPsec SA");
- delete_state(state_with_serialno(c->newest_ipsec_sa));
+ if (c->newest_ipsec_sa != SOS_NOBODY)
+ delete_state(state_with_serialno(c->newest_ipsec_sa));
Paul
More information about the Swan-dev
mailing list