5.6. Dynamic Participant Renewal, Revocation, and Expiration
5.6.1. [Critical] Invalid read when simultaneously changing a file and changing a property value for an identity certificate or CRL *
Suppose you had set
authentication.identity_certificate_file_poll_period.millisec
to a
value other than 0. If you changed the contents of your identity
certificate file and then called set_qos()
to change the
dds.sec.auth.identity_certificate
property value, a race condition
would have occurred because those two operations were not thread-safe
with respect to each other. This race condition led to the reading of
invalid memory. A memory checking tool such as Valgrind™ would have
reported invalid reads in a function due to accessing an address freed
by a different function. A similar problem existed for CRLs (the
affected properties were
authentication.crl_file_poll_period.millisec
and
authentication.crl
).
Note that in Security Plugins 7.3.0, the two poll_period.millisec
properties mentioned above have been replaced with a new property called
files_poll_interval
.
[RTI Issue ID SEC-2384]
5.6.2. [Critical] Invalid read when simultaneously changing an identity certificate file and authenticating another participant *
Suppose you had set
authentication.identity_certificate_file_poll_period.millisec
to a
value other than 0. If you changed the contents of your identity
certificate file while authenticating another DomainParticipant,
a race condition would have occurred because those two operations
were not thread-safe with respect to each other. This race condition
led to the reading of invalid memory. A memory checking tool such as
Valgrind™ would have reported invalid reads in a function due to
accessing an address freed by a different function.
Note that in Security Plugins 7.3.0, the poll_period.millisec property
mentioned above has been replaced with a new property called files_poll_interval
.
[RTI Issue ID SEC-2405]
5.6.3. [Minor] Changing identity certificate property from string to equivalent file not detected
The Builtin Security Plugins did not detect changes to a DomainParticipant’s identity certificate in the following scenario:
The
dds.sec.auth.identity_certificate
property was set to a data string (using thedata:,
prefix).The
authentication.identity_certificate_file_poll_period.millisec
property was set to a non-zero value.The DomainParticipant’s identity certificate was changed from the value with the
data:,
prefix to an equivalent value with thefile:
prefix. The file contents were the same as the string in thedata:,
value.
In this case, the poll period was ineffective and the Builtin Security Plugins failed to detect any changes in the file.
The same problem occurred if you started with one file and then changed to a different file with the same contents: the Builtin Security Plugins would not detect changes in the new file.
[RTI Issue ID SEC-2319]
* This bug does not affect you if you are upgrading from 6.1.x or earlier.