909_0142-dirmngr-hkp-Avoid-potential-race-condition-when-some.patch
Needs ReviewPublic

Authored by dkg on Nov 15 2016, 1:51 AM.
This revision needs review, but there are no reviewers specified.

Details

Reviewers
None
Summary

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sat, 29 Oct 2016 01:25:05 -0400
Subject: dirmngr: hkp: Avoid potential race condition when some hosts die.

  • dirmngr/ks-engine-hkp.c (select_random_host): Use atomic pass

through the host table instead of risking out-of-bounds write.

Multiple threads may write to hosttable[x]->dead while
select_random_host() is running. For example, a housekeeping thread
might clear the ->dead bit on some entries, or another connection to
dirmngr might manually mark a host as alive.

If one or more hosts are resurrected between the two loops over a
given table in select_random_host(), then the allocation of tbl might
not be large enough, resulting in a write past the end of tbl on the
second loop.

This change collapses the two loops into a single loop to avoid this
discrepancy: each host's "dead" bit is now only checked once.

As Werner points out, this isn't currently strictly necessary, since
npth will not switch threads unless a blocking system call is made,
and no blocking system call is made in these two loops.

However, in a subsequent change in this series, we will call a
function in this loop, and that function may sometimes write(2), or
call other functions, which may themselves block. Keeping this as a
single-pass loop avoids the need to keep track of what might block and
what might not.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

dirmngr/ks-engine-hkp.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)

Test Plan

Diff Detail

Lint
Lint Skipped
Unit
Unit Tests Skipped