Ticket #308 (closed defect: wontfix)
possible race condition on static buffer in HMAC-SHA1
|Reported by:||neil||Owned by:||jaymccarthy|
Looks like the way that the "HMAC" C function is used in this code -- using a static buffer on the C side for the result -- presents a race condition, in that some code in another Scheme thread could conceivably stomp on the buffer in between the C call being made through FFI and the result being copied out of the static buffer on the Scheme side.
I thought of a mutex lock in the Scheme side, but two potential problems occurred to me: (1) there still might be other concurrent calls into the shared library from Scheme code that don't use this particular FFI binding; (2) C code in native threads might also inadvisably use the static buffer.
Perhaps passing in a fresh buffer each time is the best solution?
I am actually using this library now, so please advise whether you expect to get a chance to look at this in the next few days or I should clone the code and develop my own fix. Thank you.