Skip flows in ikev2_cp_addr() if they don't contain a dynamic (0.0.0.0)

address before checking sa_addrpool.  Fixes a bug where no flows are added
if a single address instead of a pool is configured in config address.

Reported by Sebastien Leclerc
ok patrick@

1 files changed, 7 insertions, 7 deletions

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index de8cd61039f..9e890979110 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.323 2021/06/11 13:11:20 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.324 2021/06/17 13:28:20 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -7063,25 +7063,25 @@ ikev2_cp_fixaddr(struct iked_sa *sa, struct iked_addr *addr,
 		return (-1);
 	switch (addr->addr_af) {
 	case AF_INET:
+		in4 = (struct sockaddr_in *)&addr->addr;
+		if (in4->sin_addr.s_addr)
+			return (-2);
 		naddr = (sa->sa_cp == IKEV2_CP_REQUEST) ?
 		    sa->sa_addrpool : sa->sa_cp_addr;
 		if (naddr == NULL)
 			return (-1);
-		in4 = (struct sockaddr_in *)&addr->addr;
-		if (in4->sin_addr.s_addr)
-			return (-2);
 		memcpy(patched, naddr, sizeof(*patched));
 		patched->addr_net = 0;
 		patched->addr_mask = 32;
 		break;
 	case AF_INET6:
+		in6 = (struct sockaddr_in6 *)&addr->addr;
+		if (!IN6_IS_ADDR_UNSPECIFIED(&in6->sin6_addr))
+			return (-2);
 		naddr = (sa->sa_cp == IKEV2_CP_REQUEST) ?
 		    sa->sa_addrpool6 : sa->sa_cp_addr6;
 		if (naddr == NULL)
 			return (-1);
-		in6 = (struct sockaddr_in6 *)&addr->addr;
-		if (!IN6_IS_ADDR_UNSPECIFIED(&in6->sin6_addr))
-			return (-2);
 		memcpy(patched, naddr, sizeof(*patched));
 		patched->addr_net = 0;
 		patched->addr_mask = 128;