ike-sa: Fix handling of redirects during IKE_AUTH

Since the referenced commit, the state switch to IKE_ESTABLISHED doesn't happen immediately after completing the authentication but only after the remaining tasks have finished. Due to that redirects during IKE_AUTH were treated like those during IKE_SA_INIT causing the IKE_SA and task manager to get reset. However, unlike the ike-init task, the ike-auth task returned SUCCESS and, therefore, got destroyed, while a different task was removed from the array that was modified during the reset. This later caused a dereference of the freed ike-auth task and a crash. Fixes: 5ce1c91b58a2 ("ikev2: Trigger ike_updown() event after all IKE-specific tasks ran")
2025-10-05 00:00:45 -04:00 · 2023-08-31 13:45:10 +02:00 · 2023-08-31 13:45:10 +02:00 · 595fa077b6
commit 595fa077b6
parent 46c012b664
1 changed files with 5 additions and 1 deletions
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@ -2380,7 +2380,11 @@ METHOD(ike_sa_t, handle_redirect, bool,
 	switch (this->state)
 	{
 		case IKE_CONNECTING:
-			return redirect_connecting(this, gateway);
+			if (!has_condition(this, COND_AUTHENTICATED))
+			{
+				return redirect_connecting(this, gateway);
+			}
+			/* fall-through during IKE_AUTH if authenticated */
 		case IKE_ESTABLISHED:
 			return redirect_established(this, gateway);
 		default: