[
https://issues.apache.org/jira/browse/GEODE-10371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17556943#comment-17556943
]
ASF GitHub Bot commented on GEODE-10371:
----------------------------------------
gaussianrecurrence commented on code in PR #974:
URL: https://github.com/apache/geode-native/pull/974#discussion_r902712371
##########
cppcache/src/TcrConnection.cpp:
##########
@@ -63,23 +63,10 @@ bool useReplyTimeout(const
apache::geode::client::TcrMessage& request) {
}
int expiryTimeVariancePercentage() {
- auto nowTimePoint = std::chrono::steady_clock::now().time_since_epoch();
- auto now_ms =
- std::chrono::duration_cast<std::chrono::milliseconds>(nowTimePoint)
- .count();
- auto now_s =
- std::chrono::duration_cast<std::chrono::seconds>(nowTimePoint).count();
-
- srand(static_cast<unsigned int>((now_s * 1000) + (now_ms / 1000)));
-
- const int numbers = 21;
- // NOLINTNEXTLINE(clang-analyzer-security.insecureAPI.rand): TODO replace
- int random = rand() % numbers + 1;
-
- if (random > 10) {
- random = random - numbers;
- }
- return random;
+ std::random_device rd;
+ std::default_random_engine generator(rd());
+ std::uniform_int_distribution<int> distribution(-9, 9);
Review Comment:
It'd be good to add a couple of constants to add some semantic meaning to
the distribution limits
> C++ Native client: Improve dispersion on connections expiration
> ---------------------------------------------------------------
>
> Key: GEODE-10371
> URL: https://issues.apache.org/jira/browse/GEODE-10371
> Project: Geode
> Issue Type: Improvement
> Components: native client
> Reporter: Alberto Gomez
> Assignee: Alberto Gomez
> Priority: Major
>
> The dispersion on connections expirations in the C++ native client works in
> such a way that it adds a dispersion (variance) between -9% and 9% over the
> time for a connection to expire due to load-conditioning so that, in the
> event of having many connections being created at the same, they do not
> expire at the right exact time.
> Nevertheless, the current implementation has two problems:
> - The randomness of the variance depends on the current time in seconds. As a
> result, for connections created in the same second, the variance will be the
> same and, therefore, the expiration time too.
> - The randomness is created using the C standard's library "rand()" function
> which is considered not secure.
> It is recommended to change the library used to generate the random variance
> to a secure one and also to make sure that for the time in seconds it does
> not return the same variance.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
