Check message version before processing it on an IKE_SA

author: Martin Willi <martin@revosec.ch> 2011-12-20 16:23:12 +0100
committer: Martin Willi <martin@revosec.ch> 2012-03-20 17:31:29 +0100
commit: 448e2e294578abeba0eafc8a502d942221d2483d (patch)
tree: 007293b349906001706de102979edfb399e6b2ae /src
parent: 986237603f06dd3503f524eafb76e6ab0d4fcf29 (diff)
download: strongswan-448e2e294578abeba0eafc8a502d942221d2483d.tar.bz2
strongswan-448e2e294578abeba0eafc8a502d942221d2483d.tar.xz
1 files changed, 10 insertions, 0 deletions
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 000c3e539..5916116e5 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -1117,6 +1117,16 @@ METHOD(ike_sa_t, process_message, status_t,
 	{	/* do not handle messages in passive state */
 		return FAILED;
 	}
+	if (message->get_major_version(message) != this->version)
+	{
+		DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
+			 exchange_type_names, message->get_exchange_type(message),
+			 message->get_major_version(message),
+			 ike_version_names, this->version);
+		/* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
+		 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
+		return FAILED;
+	}
 	status = this->task_manager->process_message(this->task_manager, message);
 	if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
 	{
author	Martin Willi <martin@revosec.ch>	2011-12-20 16:23:12 +0100
committer	Martin Willi <martin@revosec.ch>	2012-03-20 17:31:29 +0100
commit	448e2e294578abeba0eafc8a502d942221d2483d (patch)
tree	007293b349906001706de102979edfb399e6b2ae /src
parent	986237603f06dd3503f524eafb76e6ab0d4fcf29 (diff)
download	strongswan-448e2e294578abeba0eafc8a502d942221d2483d.tar.bz2 strongswan-448e2e294578abeba0eafc8a502d942221d2483d.tar.xz