You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by bu...@apache.org on 2010/11/10 19:42:39 UTC

DO NOT REPLY [Bug 50248] New: Concurrency problem on incomplete Init.init() calls

https://issues.apache.org/bugzilla/show_bug.cgi?id=50248

           Summary: Concurrency problem on incomplete Init.init() calls
           Product: Security
           Version: Java 1.4.2
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Signature
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: Oliver.Moehrke@web.de


The static method Init.init() is synchronized and therefore protected against
calling it by more than one thread at a time. It is also protected against
accidentally calling it more than once. But it is not protected against an
incomplete initialization:

Imagine the two threads T1 and T2.

Inside Init.init() the line "_alreadyInitialized = true;" is at the beginning
of the method, when only some variables have been set, but the initialization
process is not fully completed.

If T1 successfully entered Init.init() but is suspended by the scheduler just
after processing the line "_alreadyInitialized = true;" this will cause
concurrency problems for T2.

Because T1 already set "_alreadyInitialized" to "true", T2 can use the
unsynchronized method Init.isInitialized() to check if an initialization is
needed. Unfortunately T2 will get the result "true" and therefore skips the
call to Init.init() and directly goes to check a signature via
XMLSginature.checkSignatureValue(X509Certificate).

Because of the incomplete initialization this will lead to some very strange
exceptions. In our case the exception misses some entries of the
ResourceBundle...

To fix this issue, the line "_alreadyInitialized = true;" should be the last
line of Init.init().

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

DO NOT REPLY [Bug 50248] Concurrency problem on incomplete Init.init() calls

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=50248

coheigea <co...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #1 from coheigea <co...@apache.org> 2010-11-11 05:37:12 EST ---

Fixed on trunk:

Author: coheigea
Date: Thu Nov 11 10:27:32 2010
New Revision: 1033870

URL: http://svn.apache.org/viewvc?rev=1033870&view=rev
Log:
[50248] - Concurrency problem on incomplete Init.init() calls.

and on J_1_4_4 tag:

Author: coheigea
Date: Thu Nov 11 10:35:37 2010
New Revision: 1033875

URL: http://svn.apache.org/viewvc?rev=1033875&view=rev
Log:
[50248] - Concurrency problem on incomplete Init.init() calls.

Colm.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.