ike-sa: Fix handling of redirects during IKE_AUTH

Since the referenced commit, the state switch to IKE_ESTABLISHED doesn't
happen immediately after completing the authentication but only after
the remaining tasks have finished.  Due to that redirects during IKE_AUTH
were treated like those during IKE_SA_INIT causing the IKE_SA and task
manager to get reset.  However, unlike the ike-init task, the ike-auth
task returned SUCCESS and, therefore, got destroyed, while a different
task was removed from the array that was modified during the reset.
This later caused a dereference of the freed ike-auth task and a crash.

Fixes: 5ce1c91b58a2 ("ikev2: Trigger ike_updown() event after all IKE-specific tasks ran")

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 7d432c570e34e2f8533abaed58cdeacd271c38e9..6b0e72da326377a0689fa6ae9d064b55805fb1e4 100644 (file)
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -2380,7 +2380,11 @@ METHOD(ike_sa_t, handle_redirect, bool,
        switch (this->state)
        {
                case IKE_CONNECTING:
-                       return redirect_connecting(this, gateway);
+                       if (!has_condition(this, COND_AUTHENTICATED))
+                       {
+                               return redirect_connecting(this, gateway);
+                       }
+                       /* fall-through during IKE_AUTH if authenticated */
                case IKE_ESTABLISHED:
                        return redirect_established(this, gateway);
                default: