From 8e31d657307d7e5d5bf70fa3dba869b5e014845f Mon Sep 17 00:00:00 2001 From: Carl Smith Date: Mon, 4 Mar 2019 14:43:00 +1300 Subject: [PATCH] child-sa: Remove temporary DROP policy using same parameters as when added A temporary DROP policy is added to avoid traffic leak while the SA is being updated. It is added with manual_prio set but when the temporary policy is removed it is removed with manual_prio parameter set to 0. The call to del_policies_outbound does not match the original policy and we end up with an ever increasing refcount. If we try to manually remove the policy, it is not removed due to the positive refcount. Then new SA requests fail with "unable to install policy out for reqid 1618, the same policy for reqid 1528 exists" Fixes: 35ef1b032d24 ("child-sa: Install drop policies while updating IPsec SAs and policies") Closes strongswan/strongswan#129. --- src/libcharon/sa/child_sa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index bdc96a4bc2..a341f29bd5 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -1592,7 +1592,7 @@ METHOD(child_sa_t, update, status_t, del_policies_outbound(this, this->my_addr, this->other_addr, old_my_ts ?: my_ts, old_other_ts ?: other_ts, &my_sa, &other_sa, POLICY_DROP, - POLICY_PRIORITY_DEFAULT, 0); + POLICY_PRIORITY_DEFAULT, manual_prio); } DESTROY_IF(old_my_ts); -- 2.47.3