[Swan-dev] shared phase1 terminate crasher. Proposed fix

Paul Wouters paul at nohats.ca
Thu Jun 23 13:32:57 UTC 2016


On github, someone suggests the following fix:

     if (shared_phase1_connection(c)) {
         libreswan_log("IKE SA is shared - only terminating IPsec SA");
-       delete_state(state_with_serialno(c->newest_ipsec_sa));
+       struct state *st = state_with_serialno(c->newest_ipsec_sa);
+       if ( st != NULL )
+           delete_state(st);
     } else {


This seems wrong. The function shared_phase1_connection() returns TRUE
if we find a state in the state table that is cloned from
c->newest_isakmp_sa but is not on our connection.

What seems to happen is that we find such a state but it is not the
state with serial c->newest_ipsec_sa, which actually does not exist?
And we pass NULL into delete_state() which causes the crash.

It is reported this is related to terminating non-established
connections, so perhaps c->newest_ipsec_sa is 0 ?

I'm wondering if the proper fix would be:

     if (shared_phase1_connection(c)) {
         libreswan_log("IKE SA is shared - only terminating IPsec SA");
-       delete_state(state_with_serialno(c->newest_ipsec_sa));
+	if (c->newest_ipsec_sa != SOS_NOBODY)
+		delete_state(state_with_serialno(c->newest_ipsec_sa));

Paul


More information about the Swan-dev mailing list