mirror of
https://github.com/strongswan/strongswan.git
synced 2025-10-04 00:00:14 -04:00
b866ee88bf
This should make the DoS limits (cookie_threshold[_ip] and block_threshold) more accurate so that it won't be possible to create lots of jobs from spoofed IP addresses before half-open IKE_SAs are actually created from these jobs to enforce those limits. Note that retransmits are tracked as half-open SAs until they are processed/dismissed as the check only happens in checkout_by_message(). Increasing the count in process_message_job_create() avoids issues with missing calls to track_init() before calling checkout_by_message() (e.g. when processing fragmented IKEv1 messages, which are reinjected via a process message job).