From: Apple <opensource@apple.com>
Date: Sat, 21 Feb 2009 18:08:11 +0000 (+0000)
Subject: ipsec-34.0.3.tar.gz
X-Git-Tag: mac-os-x-1057^0
X-Git-Url: https://git.saurik.com/apple/ipsec.git/commitdiff_plain/5122e997b817982e567ac8959bcb3aa7a6dd5cf7

ipsec-34.0.3.tar.gz
---

diff --git a/ipsec-tools/racoon/isakmp.c b/ipsec-tools/racoon/isakmp.c
index 5fa5e07..dc58420 100644
--- a/ipsec-tools/racoon/isakmp.c
+++ b/ipsec-tools/racoon/isakmp.c
@@ -764,20 +764,23 @@ ph1_main(iph1, msg)
 			    [iph1->side]
 			    [iph1->status])(iph1, msg);
 	if (error != 0) {
-#if 0
 		/* XXX
 		 * When an invalid packet is received on phase1, it should
 		 * be selected to process this packet.  That is to respond
 		 * with a notify and delete phase 1 handler, OR not to respond
-		 * and keep phase 1 handler.
+		 * and keep phase 1 handler. However, in PHASE1ST_START when
+		 * acting as RESPONDER we must not keep phase 1 handler or else
+		 * it will stay forever.
 		 */
-		plog(LLV_ERROR, LOCATION, iph1->remote,
-			"failed to pre-process packet.\n");
-		return -1;
-#else
-		/* ignore the error and keep phase 1 handler */
-		return 0;
-#endif
+        
+		if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
+			plog(LLV_ERROR, LOCATION, iph1->remote,
+			     "failed to pre-process packet.\n");
+			return -1;
+		} else {
+			/* ignore the error and keep phase 1 handler */
+			return 0;
+		}	
 	}
 
 	/* free resend buffer */