From 62e7c68b61d87252119b648806c88d8ed291436b Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 25 Oct 2019 11:07:11 +0200 Subject: [PATCH] kernel-pfkey: Clear receive buffer before sending request Many of the messages sent by the kernel, including confirmations to our requests, are sent as broadcasts to all PF_KEY sockets. So if an external tool is used to manage SAs/policies (e.g. unrelated to IPsec) the receive buffer might be filled, resulting in errors like these: error sending to PF_KEY socket: No buffer space available To avoid this, just clear the buffer before sending any message. Fixes #3225. --- src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 92bbe57..0ae3314 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1145,6 +1145,23 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket this->mutex_pfkey->lock(this->mutex_pfkey); + /* the kernel may broadcast messages not related to our requests (e.g. when + * managing SAs and policies via an external tool), so let's clear the + * receive buffer so there is room for our request and its reply. */ + while (TRUE) + { + len = recv(socket, buf, sizeof(buf), MSG_DONTWAIT); + + if (len < 0) + { + if (errno == EINTR) + { /* interrupted, try again */ + continue; + } + break; + } + } + /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367, * in particular the behavior in response to an SADB_ACQUIRE. */ in->sadb_msg_seq = ++this->seq; -- 2.7.4