From: Martin Willi <martin@revosec.ch>
Date: Tue, 20 Dec 2011 15:23:12 +0000 (+0100)
Subject: Check message version before processing it on an IKE_SA
X-Git-Tag: 5.0.0~338^2~9^2~137
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=448e2e294578abeba0eafc8a502d942221d2483d;p=thirdparty%2Fstrongswan.git

Check message version before processing it on an IKE_SA
---

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 000c3e539c..5916116e57 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1117,6 +1117,16 @@ METHOD(ike_sa_t, process_message, status_t,
 	{	/* do not handle messages in passive state */
 		return FAILED;
 	}
+	if (message->get_major_version(message) != this->version)
+	{
+		DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
+			 exchange_type_names, message->get_exchange_type(message),
+			 message->get_major_version(message),
+			 ike_version_names, this->version);
+		/* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
+		 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
+		return FAILED;
+	}
 	status = this->task_manager->process_message(this->task_manager, message);
 	if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
 	{