From: Martin Willi <martin@strongswan.org>
Date: Wed, 10 Jan 2024 16:27:00 +0000 (+0100)
Subject: ike-sa: Handle IKE_SA unique identifier refcount overflow gracefully
X-Git-Tag: android-2.5.0~9^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f634a3300c9611b5ce4be945d6a606f5a0a1c5bb;p=thirdparty%2Fstrongswan.git

ike-sa: Handle IKE_SA unique identifier refcount overflow gracefully

IKE_SA unique identifier allocation starts at 1. If the counter overflows,
a unique ID of 0 is assigned to an IKE_SA, which may have unclear consequences.

Overflowing the unique ID counter is theoretical for most setups, but on
a Gateway terminating 100'000 tunnels and rekeying the IKE_SA every 60s
overflows the counter after a month uptime. So avoid a 0 unique identifier
by using ref_get_nonzero().
---

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 654508e4b3..758a4cdba3 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -3229,7 +3229,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
 		.my_auths = array_create(0, 0),
 		.other_auths = array_create(0, 0),
 		.attributes = array_create(sizeof(attribute_entry_t), 0),
-		.unique_id = ref_get(&unique_id),
+		.unique_id = ref_get_nonzero(&unique_id),
 		.keepalive_interval = lib->settings->get_time(lib->settings,
 								"%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns),
 		.keepalive_dpd_margin = lib->settings->get_time(lib->settings,