From: Martin Willi <martin@revosec.ch>
Date: Tue, 10 Mar 2015 12:59:49 +0000 (+0100)
Subject: ikev1: Don't handle DPD timeout job if IKE_SA got passive
X-Git-Tag: 5.3.0dr1~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb3e339a3c58b6b1a35907c1d9023beaf7f25aaa;p=thirdparty%2Fstrongswan.git

ikev1: Don't handle DPD timeout job if IKE_SA got passive

While a passively installed IKE_SA does not queue a DPD timeout job, one that
switches from active to passive might execute it. Ignore such a queued job if
the IKE_SA is in passive state.
---

diff --git a/src/libcharon/processing/jobs/dpd_timeout_job.c b/src/libcharon/processing/jobs/dpd_timeout_job.c
index 9cdce5cab0..4c88c13e2b 100644
--- a/src/libcharon/processing/jobs/dpd_timeout_job.c
+++ b/src/libcharon/processing/jobs/dpd_timeout_job.c
@@ -63,6 +63,12 @@ METHOD(job_t, execute, job_requeue_t,
 											  this->ike_sa_id);
 	if (ike_sa)
 	{
+		if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+			return JOB_REQUEUE_NONE;
+		}
+
 		use_time = ike_sa->get_statistic(ike_sa, STAT_INBOUND);
 
 		enumerator = ike_sa->create_child_sa_enumerator(ike_sa);