I get a crash in the lhash code in Openssl 0.9.7a. The troublesome case is when it is called from err/err.c in a multithreaded environment.
The root cause *may* be that the hash is destroyed by int_thread_del_item while (say) int_thread_get has a copy of the pointer. The locking does not seem to cover the gap between loading the pointer (int_thread_hash) and then using it. Rather the lock is taken out, the pointer loaded, the lock released. The lock is then re-acquired and then the pointer is used. This seems wrong. My simple-minded proposal to fix the problem is to delete the code in int_thread_del_item that deletes the hash when it becomes empty. Yes, this will result in some memory being reserved and not freed...... I also suspect that the same problem could arise with int_error_hash -- that pointer is returned by int_err_get() when no lock is being held. Advice? Philip -- Philip Gladstone 978-ZEN-TOAD (978-936-8623) Cisco Systems, Inc Boxboro, MA ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
