From d9cae9e0627954e71d3b5a2e85daf19000167d95 Mon Sep 17 00:00:00 2001
From: Wade Simmons <wadey@slack-corp.com>
Date: Mon, 3 Jun 2024 15:40:51 -0400
Subject: [PATCH] ensure messageCounter is set before handshake is complete
 (#1154)

Ensure we set messageCounter to 2 before the handshake is marked as
complete.
---
 handshake_ix.go | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/handshake_ix.go b/handshake_ix.go
index 8727b16..b86ecab 100644
--- a/handshake_ix.go
+++ b/handshake_ix.go
@@ -1,6 +1,7 @@
 package nebula
 
 import (
+	"fmt"
 	"time"
 
 	"github.com/flynn/noise"
@@ -321,7 +322,11 @@ func ixHandshakeStage1(f *Interface, addr *udp.Addr, via *ViaSender, packet []by
 	}
 
 	f.connectionManager.AddTrafficWatch(hostinfo.localIndexId)
-	hostinfo.ConnectionState.messageCounter.Store(2)
+	prev := hostinfo.ConnectionState.messageCounter.Swap(2)
+	if prev > 2 {
+		panic(fmt.Errorf("invalid state: messageCounter > 2 before handshake complete: %v", prev))
+	}
+
 	hostinfo.remotes.ResetBlockedRemotes()
 
 	return
@@ -463,12 +468,15 @@ func ixHandshakeStage2(f *Interface, addr *udp.Addr, via *ViaSender, hh *Handsha
 	// Build up the radix for the firewall if we have subnets in the cert
 	hostinfo.CreateRemoteCIDR(remoteCert)
 
+	prev := hostinfo.ConnectionState.messageCounter.Swap(2)
+	if prev > 2 {
+		panic(fmt.Errorf("invalid state: messageCounter > 2 before handshake complete: %v", prev))
+	}
+
 	// Complete our handshake and update metrics, this will replace any existing tunnels for this vpnIp
 	f.handshakeManager.Complete(hostinfo, f)
 	f.connectionManager.AddTrafficWatch(hostinfo.localIndexId)
 
-	hostinfo.ConnectionState.messageCounter.Store(2)
-
 	if f.l.Level >= logrus.DebugLevel {
 		hostinfo.logger(f.l).Debugf("Sending %d stored packets", len(hh.packetStore))
 	}