[strongSwan-dev] [PATCH 1/2] Fix packet drop due to race condition on initiator

[Christophe Gouault]

Under high load, charon may receive a response to an IKE_SA_INIT
request before the new ike_sa was inserted in the SA table. The
response is then dropped and IkeInInvalidSpi incremented.

Insert new ike_sas in the sa table as soon as they are created in
checkout_new.

Signed-off-by: Christophe Gouault <christophe.gouault at 6wind.com>
---
 src/libcharon/sa/ike_sa_manager.c |   16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index 8e68e7b..f38cc41 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1158,13 +1158,27 @@ METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*,
 		ike_sa_id = ike_sa_id_create(ike_version, 0, spi, FALSE);
 	}
 	ike_sa = ike_sa_create(ike_sa_id, initiator, version);
-	ike_sa_id->destroy(ike_sa_id);
 
 	if (ike_sa)
 	{
+		u_int segment;
+		entry_t *entry;
+
 		DBG2(DBG_MGR, "created IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
 			 ike_sa->get_unique_id(ike_sa));
+
+		entry = entry_create();
+		entry->checked_out = TRUE;
+		entry->ike_sa_id = ike_sa_id;
+		entry->ike_sa = ike_sa;
+		segment = put_entry(this, entry);
+		unlock_single_segment(this, segment);
 	}
+	else
+	{
+		ike_sa_id->destroy(ike_sa_id);
+	}
+
 	return ike_sa;
 }
 
-- 
1.7.10.4