Check message version before processing it on an IKE_SA
authorMartin Willi <martin@revosec.ch>
Tue, 20 Dec 2011 15:23:12 +0000 (16:23 +0100)
committerMartin Willi <martin@revosec.ch>
Tue, 20 Mar 2012 16:31:29 +0000 (17:31 +0100)
src/libcharon/sa/ike_sa.c

index 000c3e5..5916116 100644 (file)
@@ -1117,6 +1117,16 @@ METHOD(ike_sa_t, process_message, status_t,
        {       /* do not handle messages in passive state */
                return FAILED;
        }
+       if (message->get_major_version(message) != this->version)
+       {
+               DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
+                        exchange_type_names, message->get_exchange_type(message),
+                        message->get_major_version(message),
+                        ike_version_names, this->version);
+               /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
+                * INVALID_MAJOR_VERSION on an IKEv2 SA. */
+               return FAILED;
+       }
        status = this->task_manager->process_message(this->task_manager, message);
        if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
        {