> All (most?) similar cases clear the 'init' flag *after* having set up > the data structures appropriately, e.g. see ssl/s3_meth.c.
Yes, SSLv3_client_method is the only one I saw which had init set in the wrong place. I may have missed some. > No locking should be needed because the assignments are idempotent. However, the assignments are not atomic. The following unprotected operation: if (init) { memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(), sizeof(SSL_METHOD)); SSLv3_server_data.ssl_accept=ssl3_accept; SSLv3_server_data.get_ssl_method=ssl3_get_server_method; init=0; } can result in a thread calling .ssl_accept or .get_ssl_method after the memcpy but before the assignment. In this case, ssl_undefined_function is called and it errors out. To make this code properly thread-safe, locks and atomic sets should be used to protect any non-atomic functions working on shared data. patrick ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]