Skip to content

Commit 1bde90a

Browse files
kalavtkalavt
committed
aws_msk_iam: Add error checking for pthread mutex operations in MSK IAM
Signed-off-by: Arbin <[email protected]>
1 parent df60777 commit 1bde90a

File tree

1 file changed

+14
-4
lines changed

1 file changed

+14
-4
lines changed

src/aws/flb_aws_msk_iam.c

Lines changed: 14 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -547,11 +547,17 @@ static void oauthbearer_token_refresh_cb(rd_kafka_t *rk,
547547
* Without synchronization, concurrent refresh/get_credentials calls can
548548
* corrupt provider state and cause authentication failures.
549549
*/
550-
pthread_mutex_lock(&config->lock);
550+
if (pthread_mutex_lock(&config->lock) != 0) {
551+
flb_error("[aws_msk_iam] failed to acquire credential provider lock");
552+
rd_kafka_oauthbearer_set_token_failure(rk, "internal locking error");
553+
return;
554+
}
551555

552556
/* Refresh credentials */
553557
if (config->provider->provider_vtable->refresh(config->provider) < 0) {
554-
pthread_mutex_unlock(&config->lock);
558+
if (pthread_mutex_unlock(&config->lock) != 0) {
559+
flb_error("[aws_msk_iam] failed to release credential provider lock");
560+
}
555561
flb_warn("[aws_msk_iam] credential refresh failed, will retry on next callback");
556562
rd_kafka_oauthbearer_set_token_failure(rk, "credential refresh failed");
557563
return;
@@ -560,14 +566,18 @@ static void oauthbearer_token_refresh_cb(rd_kafka_t *rk,
560566
/* Get credentials */
561567
creds = config->provider->provider_vtable->get_credentials(config->provider);
562568
if (!creds) {
563-
pthread_mutex_unlock(&config->lock);
569+
if (pthread_mutex_unlock(&config->lock) != 0) {
570+
flb_error("[aws_msk_iam] failed to release credential provider lock");
571+
}
564572
flb_error("[aws_msk_iam] failed to get AWS credentials from provider");
565573
rd_kafka_oauthbearer_set_token_failure(rk, "credential retrieval failed");
566574
return;
567575
}
568576

569577
/* Unlock immediately after getting credentials - no need to hold lock during payload generation */
570-
pthread_mutex_unlock(&config->lock);
578+
if (pthread_mutex_unlock(&config->lock) != 0) {
579+
flb_error("[aws_msk_iam] failed to release credential provider lock");
580+
}
571581

572582
/* Generate payload */
573583
payload = build_msk_iam_payload(config, host, creds);

0 commit comments

Comments
 (0)