id	summary	reporter	owner	description	type	status	priority	milestone	component	resolution	keywords	cc	planetversion	pltversion
308	possible race condition on static buffer in HMAC-SHA1	neil	jaymccarthy	"Looks like the way that the ""HMAC"" C function is used in this code -- using a static buffer on the C side for the result -- presents a race condition, in that some code in another Scheme thread could conceivably stomp on the buffer in between the C call being made through FFI and the result being copied out of the static buffer on the Scheme side.

I thought of a mutex lock in the Scheme side, but two potential problems occurred to me: (1) there still might be other concurrent calls into the shared library from Scheme code that don't use this particular FFI binding; (2) C code in native threads might also inadvisably use the static buffer.

Perhaps passing in a fresh buffer each time is the best solution?

I am actually using this library now, so please advise whether you expect to get a chance to look at this in the next few days or I should clone the code and develop my own fix.  Thank you.

http://www.openssl.org/docs/crypto/hmac.html
"	defect	closed	minor		jaymccarthy/hmac-sha1.plt	wontfix			(1 1)	4.2.5