In ERR_get_state (err_def.c:613), there's the following code :
/* If a race occured in this function and we came second, tmpp
* is the first one that we just replaced. */
if (tmpp)
ERR_STATE_free(tmpp);
As already suggested in 2006 in this message
http://www.mail-archive.com/[email protected]/msg21037.html ,
this race question can occur only if one of the following is true :
- CRYPTO_set_id_callback is broken and is not unique amongst threads
- CRYPTO_set_locking_callback is broken and does not lock
- CRYPTO_set_locking_callback is not been set
All are situation that the OpenSSL should *not* try to recover from.
What's more, the race condition *cannot* be recovered.
The call to ERR_STATE_free(tmpp) will cause the other thread that owns a
pointer to tmpp to write inside a buffer that has already been
desallocated and to double-free it or to overwrite the buffer when it
has already been reallocated to someone else.
I suggest the following code instead :
/* If a race occurred in this function, either multi-thread
* locking is broken/disabled or CRYPTO_set_id_callback is not
* returning an identifier that's unique for each thread. */
if (tmpp) {
fprintf(stderr,"ERR_get_state, fatal locking or id error\n");
abort(); /* ok */
}
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
