[strongSwan-dev] [PATCH 2/2] Fix packet drop due to race condition on responder
Christophe Gouault
christophe.gouault at 6wind.com
Fri Jul 11 14:58:22 CEST 2014
Hi Martin,
2014-07-11 13:51 GMT+02:00 Martin Willi <martin at strongswan.org>:
> Christophe,
>
>> However, the hash calculation is not reentrant because a single hasher
>> is used for the whole IKE SA manager. It leads to bogus calculations
>> under high load
>
> I agree, this bug should be addressed. Some hasher implementations, such
> as the default, actually store hash context on the stack, so this is an
> issue for IKEv1 only. Others, such as the one from the openssl plugin,
> does not and can't handle multiple simultaneous users.
>
>> Don't share a single hasher in the IKE SA manager, create a transient
>> one whenever a message must be hashed.
>
> Thanks for the patch, looks good. Not sure if it would be better
> performance-wise to use locking instead, but I'm fine with that
> approach.
>
>> - return FALSE;
>> + goto end;
>
> I'm no fan of goto-programming, hence I took the liberty to adjust your
> patch slightly [1].
Agreed, the manner you used is more elegant.
> Queued for mainline.
Great, thanks.
Christophe
> Regards
> Martin
>
> [1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=595389f9
More information about the Dev
mailing list