child-sa: Only query/update/delete inbound SA if it was actually installed

We usually can't do any of these things with temporary SAs created while allocating an SPI.
2025-10-05 00:00:45 -04:00 · 2020-10-15 15:23:02 +02:00 · 2020-10-15 15:23:02 +02:00 · 9118fd39d7
commit 9118fd39d7
parent 610745e724
1 changed files with 9 additions and 3 deletions
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@ -113,6 +113,11 @@ struct private_child_sa_t {
 	 */
 	child_sa_outbound_state_t outbound_state;

+	/**
+	 * Whether the inbound SA has been installed
+	 */
+	bool inbound_installed;
+
 	/**
 	 * Whether the peer supports TFCv3
 	 */
@ -541,7 +546,7 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)

 	if (inbound)
 	{
-		if (this->my_spi)
+		if (this->my_spi && this->inbound_installed)
 		{
 			kernel_ipsec_sa_id_t id = {
 				.src = this->other_addr,
@ -807,6 +812,7 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr,
 		this->my_cpi = cpi;
 		dst_ts = my_ts;
 		src_ts = other_ts;
+		this->inbound_installed = TRUE;
 	}
 	else
 	{
@ -1469,7 +1475,7 @@ static status_t update_sas(private_child_sa_t *this, host_t *me, host_t *other,
 						   bool encap)
 {
 	/* update our (initiator) SA */
-	if (this->my_spi)
+	if (this->my_spi && this->inbound_installed)
 	{
 		kernel_ipsec_sa_id_t id = {
 			.src = this->other_addr,
@ -1701,7 +1707,7 @@ METHOD(child_sa_t, destroy, void,
 	}

 	/* delete SAs in the kernel, if they are set up */
-	if (this->my_spi)
+	if (this->my_spi && this->inbound_installed)
 	{
 		kernel_ipsec_sa_id_t id = {
 			.src = this->other_addr,