Due to an unprotected incrementation, two load-tester initiators occasionally use the same SPI under high load, and hence generate 2 IPsec SAs with the same identifier. The responder IPsec stack will refuse to configure the second SA.
Use an atomic incrementation to avoid this race condition. Signed-off-by: Christophe Gouault <[email protected]> --- src/libcharon/plugins/load_tester/load_tester_ipsec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c index 02b1d42..5edd3b8 100644 --- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c +++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c @@ -31,14 +31,14 @@ struct private_load_tester_ipsec_t { /** * faked SPI counter */ - u_int32_t spi; + refcount_t spi; }; METHOD(kernel_ipsec_t, get_spi, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, u_int8_t protocol, u_int32_t reqid, u_int32_t *spi) { - *spi = ++this->spi; + *spi = (uint32_t)ref_get(&this->spi); return SUCCESS; } -- 1.7.10.4 _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
