diff options
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | runtime/nsd_gtls.c | 8 |
2 files changed, 10 insertions, 1 deletions
@@ -1,6 +1,9 @@ - implemented x509/certvalid gtls auth mode - implemented x509/name gtls auth mode - changed fingerprint gtls auth mode to new format fingerprint +- protected gtls error string function by a mutex. Without it, we + could have a race condition in extreme cases. This was very remote, + but now can no longer happen. - changed config directive name to reflect different use $ActionSendStreamDriverCertFingerprint is now $ActionSendStreamDriverPermittedPeer and can be used both for diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index aaa3159c..4f1a82e3 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -31,6 +31,7 @@ #include <gnutls/x509.h> #include <gcrypt.h> #include <errno.h> +#include <pthread.h> #include "rsyslog.h" #include "syslogd-types.h" @@ -60,6 +61,8 @@ DEFobjCurrIf(nsd_ptcp) static int bGlblSrvrInitDone = 0; /**< 0 - server global init not yet done, 1 - already done */ +static pthread_mutex_t mutGtlsStrerror; /**< a mutex protecting the potentially non-reentrant gtlStrerror() function */ + /* a macro to check GnuTLS calls against unexpected errors */ #define CHKgnutls(x) \ if((gnuRet = (x)) != 0) { \ @@ -311,8 +314,9 @@ uchar *gtlsStrerror(int error) { uchar *pErr; - // TODO: guard by mutex! + pthread_mutex_lock(&mutGtlsStrerror); pErr = (uchar*) strdup(gnutls_strerror(error)); + pthread_mutex_unlock(&mutGtlsStrerror); return pErr; } @@ -1389,6 +1393,7 @@ BEGINmodExit CODESTARTmodExit nsdsel_gtlsClassExit(); nsd_gtlsClassExit(); + pthread_mutex_destroy(&mutGtlsStrerror); ENDmodExit @@ -1406,6 +1411,7 @@ CODESTARTmodInit CHKiRet(nsd_gtlsClassInit(pModInfo)); /* must be done after tcps_sess, as we use it */ CHKiRet(nsdsel_gtlsClassInit(pModInfo)); /* must be done after tcps_sess, as we use it */ + pthread_mutex_init(&mutGtlsStrerror, NULL); ENDmodInit /* vi:set ai: */ |