From: Martin Willi <martin@revosec.ch>
Date: Thu, 2 Aug 2012 10:50:31 +0000 (+0200)
Subject: Reject initial exchange messages early once IKE_SA is established
X-Git-Tag: 5.0.1~235
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=394b9f6b659285ca304c432d480c95bdea552b32;p=thirdparty%2Fstrongswan.git

Reject initial exchange messages early once IKE_SA is established
---

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index a13a7a3b63..7f5acccc0b 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1205,6 +1205,24 @@ METHOD(ike_sa_t, process_message, status_t,
 	{	/* do not handle messages in passive state */
 		return FAILED;
 	}
+	switch (message->get_exchange_type(message))
+	{
+		case ID_PROT:
+		case AGGRESSIVE:
+		case TRANSACTION:
+		case IKE_SA_INIT:
+		case IKE_AUTH:
+			if (this->state != IKE_CREATED &&
+				this->state != IKE_CONNECTING)
+			{
+				DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
+					 exchange_type_names, message->get_exchange_type(message));
+				return FAILED;
+			}
+			break;
+		default:
+			break;
+	}
 	if (message->get_major_version(message) != this->version)
 	{
 		DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",