charon-tkm: Return cloned host from tkm_kernel_sad_t::get_dst_host()

When an expire is triggered while rekeying, the CHILD_SA might be deleted
while the returned host is still used to queue a rekey job for the CHILD_SA.

3 files changed, 4 insertions, 2 deletions

diff --git a/src/charon-tkm/src/ees/ees_callbacks.c b/src/charon-tkm/src/ees/ees_callbacks.c
index f4107d90a..a36629b13 100644
--- a/src/charon-tkm/src/ees/ees_callbacks.c
+++ b/src/charon-tkm/src/ees/ees_callbacks.c
@@ -47,4 +47,5 @@ void charon_esa_expire(result_type *res, const sp_id_type sp_id,
 	DBG1(DBG_KNL, "ees: expire received for reqid %u, spi %x, dst %H", sp_id,
 		 ntohl(spi_rem), dst);
 	charon->kernel->expire(charon->kernel, protocol, spi_rem, dst, hard != 0);
+	dst->destroy(dst);
 }
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.c b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
index 97226f1ac..c888f2561 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_sad.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
@@ -283,7 +283,7 @@ METHOD(tkm_kernel_sad_t, get_dst_host, host_t *,
 											(void**)&entry, &reqid, &spi, &proto);
 	if (res && entry)
 	{
-		dst = entry->dst;
+		dst = entry->dst->clone(entry->dst);
 		DBG3(DBG_KNL, "returning destination host %H of SAD entry (reqid: %u,"
 			 " spi: %x, proto: %u)", dst, reqid, ntohl(spi), proto);
 	}
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.h b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
index ba6462192..63d02b7e4 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_sad.h
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
@@ -79,7 +79,8 @@ struct tkm_kernel_sad_t {
 	 * @param reqid			reqid of CHILD SA
 	 * @param spi			Remote SPI of CHILD SA
 	 * @param proto			protocol of CHILD SA (ESP/AH)
-	 * @return				destination host of entry if found, NULL otherwise
+	 * @return				destination host of entry if found (cloned),
+	 *						NULL otherwise
 	 */
 	host_t * (*get_dst_host)(tkm_kernel_sad_t * const this,
 			  const uint32_t reqid, const uint32_t spi, const uint8_t proto);