diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2013-11-28 20:27:18 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2013-11-28 20:27:18 +0000 |
| commit | 357582319e424760f297aab552f8be33d83929c6 (patch) | |
| tree | dc51696e561b29fe1cb3ec87438ed8b3c4d09bb7 | |
| parent | 954ff01cccca20539aa7bfbb9d949c4385a70a1d (diff) | |
drop duplicate requests
otherwise IKE_AUTH requests might be accepted twice, leading to TWO
child-SAs with the same remote SPI, but different local SPIs, leading
to corrupt child-SA tables.
with & ok mikeb@
| -rw-r--r-- | sbin/iked/ikev2.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 466cc3c716c..2c31d945e58 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.84 2013/11/28 20:21:17 markus Exp $ */ +/* $OpenBSD: ikev2.c,v 1.85 2013/11/28 20:27:17 markus Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -423,6 +423,12 @@ ikev2_recv(struct iked *env, struct iked_message *msg) sa_free(env, sa); } return; + } else if (msg->msg_msgid == sa->sa_msgid) { + /* + * Response is being worked on, most likely we're + * waiting for the CA process to get back to us + */ + return; } /* * If it's a new request, make sure to update the peer's |