child-rekey: Don't migrate child-create task if we already are deleting

If we are already deleting the old/redundant CHILD_SA, we must not
migrate the child-create task as that would destroy the new CHILD_SA we
already moved to the IKE_SA.

Fixes #3644.

diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
index 6b0f4278563d2ee1418286c6c0ff43df00ea3fdd..36d7c4bff08080a72f5123bf461657290ed7708f 100644 (file)
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -573,14 +573,15 @@ METHOD(child_rekey_t, collide, void,
 METHOD(task_t, migrate, void,
        private_child_rekey_t *this, ike_sa_t *ike_sa)
 {
-       if (this->child_create)
-       {
-               this->child_create->task.migrate(&this->child_create->task, ike_sa);
-       }
+       /* only migrate the currently active task */
        if (this->child_delete)
        {
                this->child_delete->task.migrate(&this->child_delete->task, ike_sa);
        }
+       else if (this->child_create)
+       {
+               this->child_create->task.migrate(&this->child_create->task, ike_sa);
+       }
        DESTROY_IF(this->collision);
 
        this->ike_sa = ike_sa;