On Mon, Nov 11, 2019 at 03:34:03PM +0100, Tobias Heider wrote:
> Currently iked does not provide an option to configure extended sequence
> numbers
> (ESN) for child SAs, but always proposes/accepts both options.
> This diff adds a new optional "esn on/off" config option to explicitly enable
> or disable esn.
>
> ok?
OK bluhm@, with one remark
> @@ -2833,6 +2859,11 @@ create_ike(char *name, int af, uint8_t i
> if ((p = calloc(1, sizeof(*p))) == NULL)
> err(1, "%s", __func__);
>
> + if (ike_sa->xfs[i]->nesnxf) {
> + yyerror("cannot use ESN with ikesa.");
> + goto done;
> + }
> +
This check should be before the calloc(3). Otherwise you leak the
p in the goto done case.
bluhm
