From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 26 Aug 2022 13:33:22 +0000 (+0200)
Subject: ike-sa-manager: Prevent new IKE_SA from getting created when flush() is called
X-Git-Tag: 5.9.8dr4~6^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f456afe39a91e91c61e3218e4ea9faa19c1a4dd;p=thirdparty%2Fstrongswan.git

ike-sa-manager: Prevent new IKE_SA from getting created when flush() is called

Without ability to create SPIs, other threads are prevented from creating
new IKE_SAs while we are flushing existing IKE_SAs.  However, there could
still be IKE_SAs already created that might get checked in while the
segments are temporarily unlocked to wait for threads to check existing
SAs in.
---

diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index e860784de9..4ce567c21d 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -2391,6 +2391,14 @@ METHOD(ike_sa_manager_t, flush, void,
 	entry_t *entry;
 	u_int segment;
 
+	/* prevent threads from creating new SAs */
+	this->spi_lock->write_lock(this->spi_lock);
+	DESTROY_IF(this->rng);
+	this->rng = NULL;
+	this->spi_cb.cb = NULL;
+	this->spi_cb.data = NULL;
+	this->spi_lock->unlock(this->spi_lock);
+
 	lock_all_segments(this);
 	DBG2(DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
 	/* Step 1: drive out all waiting threads  */
@@ -2431,13 +2439,6 @@ METHOD(ike_sa_manager_t, flush, void,
 	/* Step 4: destroy all entries */
 	destroy_all_entries(this);
 	unlock_all_segments(this);
-
-	this->spi_lock->write_lock(this->spi_lock);
-	DESTROY_IF(this->rng);
-	this->rng = NULL;
-	this->spi_cb.cb = NULL;
-	this->spi_cb.data = NULL;
-	this->spi_lock->unlock(this->spi_lock);
 }
 
 METHOD(ike_sa_manager_t, destroy, void,