From: Tobias Brunner Date: Thu, 31 Aug 2023 11:45:10 +0000 (+0200) Subject: ike-sa: Fix handling of redirects during IKE_AUTH X-Git-Tag: 5.9.12rc1~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=595fa077b63c4cbea292fdb4a05606b65cf4f8c1;p=thirdparty%2Fstrongswan.git ike-sa: Fix handling of redirects during IKE_AUTH Since the referenced commit, the state switch to IKE_ESTABLISHED doesn't happen immediately after completing the authentication but only after the remaining tasks have finished. Due to that redirects during IKE_AUTH were treated like those during IKE_SA_INIT causing the IKE_SA and task manager to get reset. However, unlike the ike-init task, the ike-auth task returned SUCCESS and, therefore, got destroyed, while a different task was removed from the array that was modified during the reset. This later caused a dereference of the freed ike-auth task and a crash. Fixes: 5ce1c91b58a2 ("ikev2: Trigger ike_updown() event after all IKE-specific tasks ran") --- diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 7d432c570e..6b0e72da32 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -2380,7 +2380,11 @@ METHOD(ike_sa_t, handle_redirect, bool, switch (this->state) { case IKE_CONNECTING: - return redirect_connecting(this, gateway); + if (!has_condition(this, COND_AUTHENTICATED)) + { + return redirect_connecting(this, gateway); + } + /* fall-through during IKE_AUTH if authenticated */ case IKE_ESTABLISHED: return redirect_established(this, gateway); default: