Skip to content

Commit 0bcbef3

Browse files
JeremiahM37JeremiahM37
committed
Fail closed in lwIP and wolfIP dispatch and filter callbacks
1 parent dfabee1 commit 0bcbef3

2 files changed

Lines changed: 37 additions & 35 deletions

File tree

src/lwip/packet_filter_glue.c

Lines changed: 25 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,7 @@ static err_t ethernet_filter_with_wolfsentry(
101101
#endif
102102

103103
if (wolfsentry == NULL)
104-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
104+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
105105

106106
switch(event->reason) {
107107
case FILT_RECEIVING:
@@ -132,7 +132,7 @@ static err_t ethernet_filter_with_wolfsentry(
132132
case FILT_LISTENING:
133133
case FILT_STOP_LISTENING:
134134
/* can't happen. */
135-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
135+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
136136
}
137137

138138
remote.remote.sa_family = WOLFSENTRY_AF_LINK;
@@ -182,7 +182,7 @@ static err_t ethernet_filter_with_wolfsentry(
182182

183183
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
184184

185-
if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
185+
if (WOLFSENTRY_IS_FAILURE(ws_ret) || WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
186186
ret = ERR_ABRT;
187187
else
188188
ret = ERR_OK;
@@ -238,7 +238,7 @@ static err_t ip4_filter_with_wolfsentry(
238238
#endif
239239

240240
if (wolfsentry == NULL)
241-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
241+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
242242

243243
switch(event->reason) {
244244
case FILT_RECEIVING:
@@ -272,7 +272,7 @@ static err_t ip4_filter_with_wolfsentry(
272272
case FILT_LISTENING:
273273
case FILT_STOP_LISTENING:
274274
/* can't happen. */
275-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
275+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
276276
}
277277

278278
remote.remote.sa_family = WOLFSENTRY_AF_INET;
@@ -322,7 +322,7 @@ static err_t ip4_filter_with_wolfsentry(
322322

323323
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
324324

325-
if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
325+
if (WOLFSENTRY_IS_FAILURE(ws_ret) || WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
326326
ret = ERR_ABRT;
327327
else
328328
ret = ERR_OK;
@@ -373,7 +373,7 @@ static err_t ip6_filter_with_wolfsentry(
373373
#endif
374374

375375
if (wolfsentry == NULL)
376-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
376+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
377377

378378
switch(event->reason) {
379379
case FILT_RECEIVING:
@@ -407,7 +407,7 @@ static err_t ip6_filter_with_wolfsentry(
407407
case FILT_LISTENING:
408408
case FILT_STOP_LISTENING:
409409
/* can't happen. */
410-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
410+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
411411
}
412412

413413
remote.remote.sa_family = WOLFSENTRY_AF_INET6;
@@ -457,7 +457,7 @@ static err_t ip6_filter_with_wolfsentry(
457457

458458
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
459459

460-
if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
460+
if (WOLFSENTRY_IS_FAILURE(ws_ret) || WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
461461
ret = ERR_ABRT;
462462
else
463463
ret = ERR_OK;
@@ -511,7 +511,7 @@ static err_t tcp_filter_with_wolfsentry(
511511
#endif
512512

513513
if (wolfsentry == NULL)
514-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
514+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
515515

516516
switch(event->reason) {
517517
case FILT_ACCEPTING:
@@ -589,7 +589,7 @@ static err_t tcp_filter_with_wolfsentry(
589589
case FILT_DISSOCIATE:
590590
case FILT_ADDR_UNREACHABLE:
591591
/* can't happen. */
592-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
592+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
593593
}
594594

595595
#if LWIP_IPV6
@@ -658,10 +658,10 @@ static err_t tcp_filter_with_wolfsentry(
658658

659659
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
660660

661-
if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
662-
ret = ERR_RST;
663-
else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
661+
if (WOLFSENTRY_IS_FAILURE(ws_ret) || WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
664662
ret = ERR_ABRT;
663+
else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
664+
ret = ERR_RST;
665665
else
666666
ret = ERR_OK;
667667

@@ -723,7 +723,7 @@ static err_t udp_filter_with_wolfsentry(
723723
#endif
724724

725725
if (wolfsentry == NULL)
726-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
726+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
727727

728728
switch(event->reason) {
729729
case FILT_BINDING:
@@ -778,7 +778,7 @@ static err_t udp_filter_with_wolfsentry(
778778
case FILT_ADDR_UNREACHABLE:
779779
case FILT_CLOSE_WAIT:
780780
/* can't happen. */
781-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
781+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
782782
}
783783

784784
#if LWIP_IPV6
@@ -847,10 +847,10 @@ static err_t udp_filter_with_wolfsentry(
847847

848848
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
849849

850-
if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
851-
ret = ERR_RST;
852-
else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
850+
if (WOLFSENTRY_IS_FAILURE(ws_ret) || WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
853851
ret = ERR_ABRT;
852+
else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
853+
ret = ERR_RST;
854854
else
855855
ret = ERR_OK;
856856

@@ -910,7 +910,7 @@ static err_t icmp4_filter_with_wolfsentry(
910910
#endif
911911

912912
if (wolfsentry == NULL)
913-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
913+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
914914

915915
switch(event->reason) {
916916
case FILT_RECEIVING:
@@ -945,7 +945,7 @@ static err_t icmp4_filter_with_wolfsentry(
945945
case FILT_STOP_LISTENING:
946946
case FILT_CLOSE_WAIT:
947947
/* can't happen. */
948-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
948+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
949949
}
950950

951951
remote.remote.sa_family = WOLFSENTRY_AF_INET;
@@ -995,7 +995,7 @@ static err_t icmp4_filter_with_wolfsentry(
995995

996996
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
997997

998-
if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
998+
if (WOLFSENTRY_IS_FAILURE(ws_ret) || WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
999999
ret = ERR_ABRT;
10001000
else
10011001
ret = ERR_OK;
@@ -1046,7 +1046,7 @@ static err_t icmp6_filter_with_wolfsentry(
10461046
#endif
10471047

10481048
if (wolfsentry == NULL)
1049-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
1049+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
10501050

10511051
switch(event->reason) {
10521052
case FILT_RECEIVING:
@@ -1081,7 +1081,7 @@ static err_t icmp6_filter_with_wolfsentry(
10811081
case FILT_STOP_LISTENING:
10821082
case FILT_CLOSE_WAIT:
10831083
/* can't happen. */
1084-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
1084+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
10851085
}
10861086

10871087
remote.remote.sa_family = WOLFSENTRY_AF_INET6;
@@ -1131,7 +1131,7 @@ static err_t icmp6_filter_with_wolfsentry(
11311131

11321132
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
11331133

1134-
if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
1134+
if (WOLFSENTRY_IS_FAILURE(ws_ret) || WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
11351135
ret = ERR_ABRT;
11361136
else
11371137
ret = ERR_OK;

src/wolfip/packet_filter_glue.c

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -141,7 +141,7 @@ static int wolfip_dispatch_event(
141141
WOLFSENTRY_THREAD_HEADER_DECLS
142142

143143
if (wolfsentry == NULL)
144-
return 0;
144+
return -WOLFIP_EACCES;
145145

146146
if (WOLFSENTRY_THREAD_HEADER_INIT(WOLFSENTRY_THREAD_FLAG_NONE) < 0)
147147
return -WOLFIP_EACCES;
@@ -163,7 +163,7 @@ static int wolfip_dispatch_event(
163163
if (WOLFSENTRY_THREAD_TAILER(WOLFSENTRY_THREAD_FLAG_NONE) < 0)
164164
return -WOLFIP_EACCES;
165165

166-
if (wolfip_action_rejects(*action_results))
166+
if (WOLFSENTRY_IS_FAILURE(ws_ret) || wolfip_action_rejects(*action_results))
167167
return -WOLFIP_EACCES;
168168

169169
return 0;
@@ -209,7 +209,7 @@ static int wolfip_filter_ethernet(
209209
action_results = WOLFSENTRY_ACTION_RES_SOCK_ERROR;
210210
break;
211211
default:
212-
return 0;
212+
return -WOLFIP_EACCES;
213213
}
214214

215215
wolfip_set_link_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -261,7 +261,7 @@ static int wolfip_filter_ipv4(
261261
action_results = WOLFSENTRY_ACTION_RES_SOCK_ERROR;
262262
break;
263263
default:
264-
return 0;
264+
return -WOLFIP_EACCES;
265265
}
266266

267267
wolfip_set_ipv4_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -360,7 +360,7 @@ static int wolfip_filter_tcp(
360360
action_results = WOLFSENTRY_ACTION_RES_DEROGATORY;
361361
break;
362362
default:
363-
return 0;
363+
return -WOLFIP_EACCES;
364364
}
365365

366366
wolfip_set_ipv4_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -442,7 +442,7 @@ static int wolfip_filter_udp(
442442
WOLFSENTRY_ACTION_RES_EXCLUDE_REJECT_ROUTES;
443443
break;
444444
default:
445-
return 0;
445+
return -WOLFIP_EACCES;
446446
}
447447

448448
wolfip_set_ipv4_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -504,7 +504,7 @@ static int wolfip_filter_icmp(
504504
action_results = WOLFSENTRY_ACTION_RES_SOCK_ERROR;
505505
break;
506506
default:
507-
return 0;
507+
return -WOLFIP_EACCES;
508508
}
509509

510510
wolfip_set_ipv4_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -518,8 +518,10 @@ static int wolfip_filter_with_wolfsentry(void *arg, const struct wolfIP_filter_e
518518
{
519519
struct wolfsentry_context *wolfsentry = (struct wolfsentry_context *)arg;
520520

521-
if ((wolfsentry == NULL) || (event == NULL))
522-
return 0;
521+
if (wolfsentry == NULL)
522+
return -WOLFIP_EACCES;
523+
if (event == NULL)
524+
return -WOLFIP_EACCES;
523525

524526
switch (event->meta.ip_proto) {
525527
case WOLFIP_FILTER_PROTO_ETH:
@@ -533,7 +535,7 @@ static int wolfip_filter_with_wolfsentry(void *arg, const struct wolfIP_filter_e
533535
case WOLFIP_FILTER_PROTO_ICMP:
534536
return wolfip_filter_icmp(wolfsentry, event);
535537
default:
536-
return 0;
538+
return -WOLFIP_EACCES;
537539
}
538540
}
539541

0 commit comments

Comments
 (0)