From 03aae9637922023dd77955cb15caafb7ce309200 Mon Sep 17 00:00:00 2001
From: Atzm Watanabe <atzmism@gmail.com>
Date: Mon, 8 Aug 2022 15:45:36 +0900
Subject: ikev2: fix rekeying with multiple notify payloads

Type: fix
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: I065bd5c26055d863d786023970e7deeed261b31c
---
 src/plugins/ikev2/ikev2.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'src/plugins/ikev2/ikev2.c')

diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index 84b62d2a11e..20be89e1aaf 100644
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -1367,7 +1367,6 @@ ikev2_process_create_child_sa_req (vlib_main_t * vm,
   int p = 0;
   u8 payload = ike->nextpayload;
   u8 *plaintext = 0;
-  u8 rekeying = 0;
   ikev2_rekey_t *rekey;
   ike_payload_header_t *ikep;
   ikev2_notify_t *n = 0;
@@ -1410,11 +1409,15 @@ ikev2_process_create_child_sa_req (vlib_main_t * vm,
 	}
       else if (payload == IKEV2_PAYLOAD_NOTIFY)
 	{
-	  n = ikev2_parse_notify_payload (ikep, current_length);
-	  if (n->msg_type == IKEV2_NOTIFY_MSG_REKEY_SA)
+	  ikev2_notify_t *n0;
+	  n0 = ikev2_parse_notify_payload (ikep, current_length);
+	  if (n0->msg_type == IKEV2_NOTIFY_MSG_REKEY_SA)
 	    {
-	      rekeying = 1;
+	      vec_free (n);
+	      n = n0;
 	    }
+	  else
+	    vec_free (n0);
 	}
       else if (payload == IKEV2_PAYLOAD_DELETE)
 	{
@@ -1478,7 +1481,7 @@ ikev2_process_create_child_sa_req (vlib_main_t * vm,
     }
   else
     {
-      if (rekeying)
+      if (n)
 	{
 	  child_sa = ikev2_sa_get_child (sa, n->spi, n->protocol_id, 1);
 	  if (!child_sa)
-- 
cgit 1.2.3-korg