child-cfg: Fix apply_jitter() in case jitter is bigger than rekey value

Also avoid returning 0 and disabling rekeying in the rare case of
`jitter = rekey` and the `1/jitter` chance of that happening (returning
1 at least doesn't disable rekeying).

Co-authored-by: Tobias Brunner <tobias@strongswan.org>
Closes strongswan/strongswan#1414

diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index bc9cff7129b119ae951381eeecec727db49fe2af..837495c59eea49ab4bba271900e679eb68f9f0a6 100644 (file)
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -435,7 +435,7 @@ static uint64_t apply_jitter(uint64_t rekey, uint64_t jitter)
                return rekey;
        }
        jitter = (jitter == UINT64_MAX) ? jitter : jitter + 1;
-       return rekey - jitter * (random() / (RAND_MAX + 1.0));
+       return rekey - (uint64_t)(min(jitter, rekey) * (random() / (RAND_MAX + 1.0)));
 }
 #define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter)