From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 28 May 2021 11:36:04 +0000 (+0200)
Subject: kernel-netlink: Read protocol of acquire not from template
X-Git-Tag: 5.9.6rc1~3^2~44
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9983326b20ee18806668b589898d81e53d7f1a7c;p=thirdparty%2Fstrongswan.git

kernel-netlink: Read protocol of acquire not from template

If a policy with IPComp template triggers an acquire, we get two, one for
an IPComp, one for ESP/AH SA.  However, the triggering template of the trap
policy (where we get the reqid from), will be the same in both acquires,
IPComp, which we ignore, so no acquire was actually forwarded.
---

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 339ce2a59f..32b6853450 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -899,9 +899,10 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this,
 	size_t rtasize;
 	traffic_selector_t *src_ts, *dst_ts;
 	uint32_t reqid = 0;
-	int proto = 0;
+	uint8_t proto;
 
 	acquire = NLMSG_DATA(hdr);
+	proto = acquire->id.proto;
 	rta = XFRM_RTA(hdr, struct xfrm_user_acquire);
 	rtasize = XFRM_PAYLOAD(hdr, struct xfrm_user_acquire);
 
@@ -916,7 +917,6 @@ static void process_acquire(private_kernel_netlink_ipsec_t *this,
 			struct xfrm_user_tmpl* tmpl;
 			tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rta);
 			reqid = tmpl->reqid;
-			proto = tmpl->id.proto;
 		}
 		rta = RTA_NEXT(rta, rtasize);
 	}