Fix crash on DTLS resumption

If the mainloop is paused and then resumed, DTLS will attempt to
reconnect at the same time as CSTP.  When DTLS-PSK is in use,
gnutls_prf() will be called on a NULL vpninfo->https_sess pointer.
Avoid this by deferring DTLS resumption until CSTP has reconnected, if
DTLS-PSK is in use.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

diff --git a/dtls.c b/dtls.c
index 80d6c05a73e8315a8963e5a4af1b6a595c80b142..4ce74dccbe19469ccaff087b4a292f35da9b4577 100644 (file)
--- a/dtls.c
+++ b/dtls.c
@@ -265,7 +265,8 @@ int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout)
 
                if (when <= 0) {
                        vpn_progress(vpninfo, PRG_DEBUG, _("Attempt new DTLS connection\n"));
-                       connect_dtls_socket(vpninfo);
+                       if (connect_dtls_socket(vpninfo) < 0)
+                               *timeout = 1000;
                } else if ((when * 1000) < *timeout) {
                        *timeout = when * 1000;
                }

diff --git a/gnutls-dtls.c b/gnutls-dtls.c
index 7d15be6c8dfab8d890f3e6eadbe9a1d195b37f83..b30abb29fa441b4a02683da4143965e13699bfc6 100644 (file)
--- a/gnutls-dtls.c
+++ b/gnutls-dtls.c
@@ -161,6 +161,12 @@ static int start_dtls_psk_handshake(struct openconnect_info *vpninfo, int dtls_f
        struct oc_text_buf *prio;
        int err;
 
+       if (!vpninfo->https_sess) {
+               vpn_progress(vpninfo, PRG_INFO,
+                            _("Deferring DTLS resumption until CSTP generates a PSK\n"));
+               return -EAGAIN;
+       }
+
        prio = buf_alloc();
        buf_append(prio, "%s:-VERS-TLS-ALL:+VERS-DTLS-ALL:-KX-ALL:+PSK", vpninfo->gnutls_prio);
        if (buf_error(prio)) {