[strongSwan-dev] [PATCH 2/2] Fix packet drop due to race condition on responder
Martin Willi
martin at strongswan.org
Fri Jul 11 13:51:20 CEST 2014
Christophe,
> However, the hash calculation is not reentrant because a single hasher
> is used for the whole IKE SA manager. It leads to bogus calculations
> under high load
I agree, this bug should be addressed. Some hasher implementations, such
as the default, actually store hash context on the stack, so this is an
issue for IKEv1 only. Others, such as the one from the openssl plugin,
does not and can't handle multiple simultaneous users.
> Don't share a single hasher in the IKE SA manager, create a transient
> one whenever a message must be hashed.
Thanks for the patch, looks good. Not sure if it would be better
performance-wise to use locking instead, but I'm fine with that
approach.
> - return FALSE;
> + goto end;
I'm no fan of goto-programming, hence I took the liberty to adjust your
patch slightly [1]. Queued for mainline.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=595389f9
More information about the Dev
mailing list