From e469b16d0b91c0c37427a19d574c112c9eaba6e5 Mon Sep 17 00:00:00 2001
From: Mateusz Guzik <mjg@FreeBSD.org>
Date: Wed, 3 Nov 2021 19:50:41 +0100
Subject: [PATCH] ipsec: fix edge case detection in key_getnewspid

Same comparison problem as in key_do_getnewspi.

Reviewed by:	ae
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D32827
---
 sys/netipsec/key.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 9a810fa49931..e2e1d76911ec 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -2147,10 +2147,12 @@ key_getnewspid(void)
 {
 	struct secpolicy *sp;
 	uint32_t newid = 0;
-	int count = V_key_spi_trycnt;	/* XXX */
+	int tries, limit;
 
 	SPTREE_WLOCK_ASSERT();
-	while (count--) {
+
+	limit = atomic_load_int(&V_key_spi_trycnt);
+	for (tries = 0; tries < limit; tries++) {
 		if (V_policy_id == ~0) /* overflowed */
 			newid = V_policy_id = 1;
 		else
@@ -2162,7 +2164,7 @@ key_getnewspid(void)
 		if (sp == NULL)
 			break;
 	}
-	if (count == 0 || newid == 0) {
+	if (tries == limit || newid == 0) {
 		ipseclog((LOG_DEBUG, "%s: failed to allocate policy id.\n",
 		    __func__));
 		return (0);