From 9118fd39d70304e7bd436ac154e34d26ed2faea6 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 15 Oct 2020 15:23:02 +0200 Subject: [PATCH] child-sa: Only query/update/delete inbound SA if it was actually installed We usually can't do any of these things with temporary SAs created while allocating an SPI. --- src/libcharon/sa/child_sa.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index d51f530dbf..c776c274dc 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -113,6 +113,11 @@ struct private_child_sa_t { */ child_sa_outbound_state_t outbound_state; + /** + * Whether the inbound SA has been installed + */ + bool inbound_installed; + /** * Whether the peer supports TFCv3 */ @@ -541,7 +546,7 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound) if (inbound) { - if (this->my_spi) + if (this->my_spi && this->inbound_installed) { kernel_ipsec_sa_id_t id = { .src = this->other_addr, @@ -807,6 +812,7 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr, this->my_cpi = cpi; dst_ts = my_ts; src_ts = other_ts; + this->inbound_installed = TRUE; } else { @@ -1469,7 +1475,7 @@ static status_t update_sas(private_child_sa_t *this, host_t *me, host_t *other, bool encap) { /* update our (initiator) SA */ - if (this->my_spi) + if (this->my_spi && this->inbound_installed) { kernel_ipsec_sa_id_t id = { .src = this->other_addr, @@ -1701,7 +1707,7 @@ METHOD(child_sa_t, destroy, void, } /* delete SAs in the kernel, if they are set up */ - if (this->my_spi) + if (this->my_spi && this->inbound_installed) { kernel_ipsec_sa_id_t id = { .src = this->other_addr, -- 2.47.2