DragonFlyBSD Kernel Audit
← dashboard
DF-0303

HMAC precomputed context torn-read race between config and input paths

Summary

carp_hmac_prepare(:504) rewrites sc_sha1 in-place on CPU0. carp_hmac_verify/generate(:562) bcopy sc_sha1 on packet-input CPU (any). No lock/barrier. Code admits XXX: possible race here(:517). Torn SHA1_CTX -> legitimate adv fails HMAC -> failover disruption. Timing-dependent.