Properly compare CHILD_SAs during rekey collision
authorTobias Brunner <tobias@strongswan.org>
Fri, 31 May 2013 17:01:05 +0000 (19:01 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 11 Jun 2013 12:00:02 +0000 (14:00 +0200)
The previous code did not properly check for the situation when the
DELETE for a redundant CHILD_SA created by a responder during a
CHILD_SA rekey collision arrives before the responder's answer to the
initiator's winning CREATE_CHILD_SA request.

src/libcharon/sa/ikev2/tasks/child_rekey.c

index 262cb10..d2003bb 100644 (file)
@@ -399,12 +399,19 @@ METHOD(child_rekey_t, collide, void,
        else if (other->get_type(other) == TASK_CHILD_DELETE)
        {
                child_delete_t *del = (child_delete_t*)other;
-               if (del->get_child(del) == this->child_create->get_child(this->child_create))
+               if (this->collision &&
+                       this->collision->get_type(this->collision) == TASK_CHILD_REKEY)
                {
-                       /* peer deletes redundant child created in collision */
-                       this->other_child_destroyed = TRUE;
-                       other->destroy(other);
-                       return;
+                       private_child_rekey_t *rekey;
+
+                       rekey = (private_child_rekey_t*)this->collision;
+                       if (del->get_child(del) == rekey->child_create->get_child(rekey->child_create))
+                       {
+                               /* peer deletes redundant child created in collision */
+                               this->other_child_destroyed = TRUE;
+                               other->destroy(other);
+                               return;
+                       }
                }
                if (del->get_child(del) != this->child_sa)
                {