From: Tobias Brunner Date: Fri, 7 Mar 2025 09:14:29 +0000 (+0100) Subject: android: Protect but don't keep track of sockets used for source address lookups X-Git-Tag: 6.0.2dr1~31 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f1f375a21d1847f28594f42a47abd9579e3a671;p=thirdparty%2Fstrongswan.git android: Protect but don't keep track of sockets used for source address lookups These sockets are closed immediately again, so no need to re-protect them during roaming events. References strongswan/strongswan#1691 Fixes: 6d87a8651068 ("android: Use new sockets to determine source IP") --- diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c index b9a34d15bd..531fd94c6a 100644 --- a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c +++ b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c @@ -256,11 +256,14 @@ CALLBACK(bypass_single_socket_cb, void, } METHOD(charonservice_t, bypass_socket, bool, - private_charonservice_t *this, int fd, int family) + private_charonservice_t *this, int fd, bool track_fd) { if (fd >= 0) { - this->sockets->insert_last(this->sockets, (void*)(intptr_t)fd); + if (track_fd) + { + this->sockets->insert_last(this->sockets, (void*)(intptr_t)fd); + } return bypass_single_socket(this, fd); } this->sockets->invoke_function(this->sockets, bypass_single_socket_cb, this); diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h index e59d7e106e..bcce99a4e4 100644 --- a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h +++ b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h @@ -109,13 +109,14 @@ struct charonservice_t { * Install a bypass policy for the given socket using the protect() Method * of the Android VpnService interface. * - * Use -1 as fd to re-bypass previously bypassed sockets. + * If track_fd is TRUE, the fd is kept track of. Use -1 as fd to re-bypass + * all of those sockets. * * @param fd socket file descriptor - * @param family socket protocol family + * @param track_fd TRUE to keep track of fd * @return TRUE if operation successful */ - bool (*bypass_socket)(charonservice_t *this, int fd, int family); + bool (*bypass_socket)(charonservice_t *this, int fd, bool track_fd); /** * Get a list of trusted certificates via JNI diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c index b2caed97cc..9c2913f4d8 100644 --- a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c +++ b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c @@ -159,7 +159,7 @@ METHOD(kernel_ipsec_t, flush_policies, status_t, METHOD(kernel_ipsec_t, bypass_socket, bool, private_kernel_android_ipsec_t *this, int fd, int family) { - return charonservice->bypass_socket(charonservice, fd, family); + return charonservice->bypass_socket(charonservice, fd, TRUE); } METHOD(kernel_ipsec_t, enable_udp_decap, bool, diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_net.c b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_net.c index 7b556b4bb5..27f75d2ba3 100644 --- a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_net.c +++ b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_net.c @@ -70,7 +70,7 @@ struct private_android_net_t { static job_requeue_t roam_event() { /* this will fail if no connection is up */ - charonservice->bypass_socket(charonservice, -1, 0); + charonservice->bypass_socket(charonservice, -1, FALSE); charon->kernel->roam(charon->kernel, TRUE); return JOB_REQUEUE_NONE; } @@ -122,7 +122,7 @@ METHOD(kernel_net_t, get_source_addr, host_t*, strerror(errno)); return NULL; } - charonservice->bypass_socket(charonservice, skt, dst->get_family(dst)); + charonservice->bypass_socket(charonservice, skt, FALSE); if (connect(skt, dst->get_sockaddr(dst), addrlen) < 0) {