Use subset matching instead of is_contained_in() to select a child_cfg

If one selector has a wider IP range than the other, but the other has a
wider port/protocol selector than the first one, none is completely contained
in the other. The check for a match using is_contained_in() therefore would
fail. Using get_subset() can handle such cases, fixing configuration selection.

1 files changed, 8 insertions, 4 deletions

diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index 8de7d1289..eb983199b 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -249,7 +249,7 @@ static int get_ts_match(child_cfg_t *cfg, bool local,
 {
 	linked_list_t *cfg_list;
 	enumerator_t *sup_enum, *cfg_enum;
-	traffic_selector_t *sup_ts, *cfg_ts;
+	traffic_selector_t *sup_ts, *cfg_ts, *subset;
 	int match = 0, round;
 
 	/* fetch configured TS list, narrowing dynamic TS */
@@ -268,10 +268,14 @@ static int get_ts_match(child_cfg_t *cfg, bool local,
 			{	/* equality is honored better than matches */
 				match += round * 5;
 			}
-			else if (cfg_ts->is_contained_in(cfg_ts, sup_ts) ||
-					 sup_ts->is_contained_in(sup_ts, cfg_ts))
+			else
 			{
-				match += round * 1;
+				subset = cfg_ts->get_subset(cfg_ts, sup_ts);
+				if (subset)
+				{
+					subset->destroy(subset);
+					match += round * 1;
+				}
 			}
 		}
 		cfg_enum->destroy(cfg_enum);