[Openswan dev]

Paul Wouters paul at xelerance.com
Thu Oct 13 05:07:49 CEST 2005


On Thu, 13 Oct 2005, Herbert Xu wrote:

> The following patch rolls back the changes made by install_ipsec_sa and
> install_inbound_ipsec_sa in the various quick_* functions when we detect
> an error after the SAs have been installed.
>
> This is needed because otherwise the system enters a consistent state
> which can cause crashes elsewhere in the code.
>
> For example, if the final quick mode processing fails because dpd_init
> couldn't find a phase 1 SA, we will have a state that fails the
> IS_IPSEC_SA_ESTABLISHED test because it has not yet transitioned into
> the final state.
>
> However, this state will be the eroute owner of the SPD which causes a
> crash in this spot:
>
> delete_state -> connection_discard ->
> delete_connection -> release_connection -> delete_states_by_connection
>
> Normally delete_state would have removed the eroute if the state passed
> the IS_IPSEC_SA_ESTABLISHED test.

queued up. Thanks!

Paul
-- 

"Happiness is never grand"

 	--- Mustapha Mond, World Controller (Brave New World)


More information about the Dev mailing list