ike-sa: Avoid possible integer underflow when scheduling reauth after rekeying

If the reauthentication is scheduled while rekeying, the difference might be negative, however, schedule_job() takes an unsigned int, so the reauth would get scheduled very far in the future.
2021-01-15 16:19:49 +01:00 · 2021-01-15 16:19:49 +01:00 · 97857eaa12
parent 20dfbcad08
commit 97857eaa12
1 changed files with 1 additions and 1 deletions
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@ -2982,7 +2982,7 @@ METHOD(ike_sa_t, inherit_post, void,
 		time_t reauth, delete, now = time_monotonic(NULL);

 		this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
-		reauth = this->stats[STAT_REAUTH] - now;
+		reauth = max(0, this->stats[STAT_REAUTH] - now);
 		delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
 		this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
 		DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "