ike-sa: Fix handling of redirects during IKE_AUTH

Since the referenced commit, the state switch to IKE_ESTABLISHED doesn't happen immediately after completing the authentication but only after the remaining tasks have finished. Due to that redirects during IKE_AUTH were treated like those during IKE_SA_INIT causing the IKE_SA and task manager to get reset. However, unlike the ike-init task, the ike-auth task returned SUCCESS and, therefore, got destroyed, while a different task was removed from the array that was modified during the reset. This later caused a dereference of the freed ike-auth task and a crash. Fixes: 5ce1c91 ("ikev2: Trigger ike_updown() event after all IKE-specific tasks ran")
strongswan · Nov 6, 2023 · 595fa07 · 595fa07
1 parent 46c012b
commit 595fa07
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
@@ -2380,7 +2380,11 @@ METHOD(ike_sa_t, handle_redirect, bool,
 	switch (this->state)
 	{
 		case IKE_CONNECTING:
-			return redirect_connecting(this, gateway);
+			if (!has_condition(this, COND_AUTHENTICATED))
+			{
+				return redirect_connecting(this, gateway);
+			}
+			/* fall-through during IKE_AUTH if authenticated */
 		case IKE_ESTABLISHED:
 			return redirect_established(this, gateway);
 		default: