Skip to content

Commit df8ade2

Browse files
JeremiahM37JeremiahM37
committed
Fail closed in lwIP and wolfIP dispatch and filter callbacks
1 parent 871c97c commit df8ade2

2 files changed

Lines changed: 94 additions & 33 deletions

File tree

src/lwip/packet_filter_glue.c

Lines changed: 56 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,25 @@
6363
}
6464
#endif
6565

66+
/* On a dispatch failure the action_results are not trustworthy. Fall back to
67+
* the context's configured default policy: reject only if that policy rejects,
68+
* or if it can't be determined (including a NULL context).
69+
*/
70+
static int lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_IN) {
71+
wolfsentry_action_res_t default_policy;
72+
wolfsentry_errcode_t ws_ret;
73+
if (wolfsentry == NULL)
74+
return 1;
75+
ws_ret = wolfsentry_context_lock_shared(WOLFSENTRY_CONTEXT_ARGS_OUT);
76+
if (WOLFSENTRY_IS_FAILURE(ws_ret))
77+
return 1;
78+
ws_ret = wolfsentry_route_default_policy_get(WOLFSENTRY_CONTEXT_ARGS_OUT, &default_policy);
79+
(void)wolfsentry_context_unlock(WOLFSENTRY_CONTEXT_ARGS_OUT);
80+
if (WOLFSENTRY_IS_FAILURE(ws_ret))
81+
return 1;
82+
return WOLFSENTRY_MASKIN_BITS(default_policy, WOLFSENTRY_ACTION_RES_REJECT) ? 1 : 0;
83+
}
84+
6685
#if LWIP_ARP || LWIP_ETHERNET
6786

6887
#include "netif/ethernet.h"
@@ -101,7 +120,7 @@ static err_t ethernet_filter_with_wolfsentry(
101120
#endif
102121

103122
if (wolfsentry == NULL)
104-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
123+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
105124

106125
switch(event->reason) {
107126
case FILT_RECEIVING:
@@ -132,7 +151,7 @@ static err_t ethernet_filter_with_wolfsentry(
132151
case FILT_LISTENING:
133152
case FILT_STOP_LISTENING:
134153
/* can't happen. */
135-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
154+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
136155
}
137156

138157
remote.remote.sa_family = WOLFSENTRY_AF_LINK;
@@ -182,7 +201,9 @@ static err_t ethernet_filter_with_wolfsentry(
182201

183202
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
184203

185-
if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
204+
if (WOLFSENTRY_IS_FAILURE(ws_ret))
205+
ret = lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT) ? ERR_ABRT : ERR_OK;
206+
else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
186207
ret = ERR_ABRT;
187208
else
188209
ret = ERR_OK;
@@ -238,7 +259,7 @@ static err_t ip4_filter_with_wolfsentry(
238259
#endif
239260

240261
if (wolfsentry == NULL)
241-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
262+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
242263

243264
switch(event->reason) {
244265
case FILT_RECEIVING:
@@ -272,7 +293,7 @@ static err_t ip4_filter_with_wolfsentry(
272293
case FILT_LISTENING:
273294
case FILT_STOP_LISTENING:
274295
/* can't happen. */
275-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
296+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
276297
}
277298

278299
remote.remote.sa_family = WOLFSENTRY_AF_INET;
@@ -322,7 +343,9 @@ static err_t ip4_filter_with_wolfsentry(
322343

323344
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
324345

325-
if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
346+
if (WOLFSENTRY_IS_FAILURE(ws_ret))
347+
ret = lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT) ? ERR_ABRT : ERR_OK;
348+
else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
326349
ret = ERR_ABRT;
327350
else
328351
ret = ERR_OK;
@@ -373,7 +396,7 @@ static err_t ip6_filter_with_wolfsentry(
373396
#endif
374397

375398
if (wolfsentry == NULL)
376-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
399+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
377400

378401
switch(event->reason) {
379402
case FILT_RECEIVING:
@@ -407,7 +430,7 @@ static err_t ip6_filter_with_wolfsentry(
407430
case FILT_LISTENING:
408431
case FILT_STOP_LISTENING:
409432
/* can't happen. */
410-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
433+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
411434
}
412435

413436
remote.remote.sa_family = WOLFSENTRY_AF_INET6;
@@ -457,7 +480,9 @@ static err_t ip6_filter_with_wolfsentry(
457480

458481
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
459482

460-
if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
483+
if (WOLFSENTRY_IS_FAILURE(ws_ret))
484+
ret = lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT) ? ERR_ABRT : ERR_OK;
485+
else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
461486
ret = ERR_ABRT;
462487
else
463488
ret = ERR_OK;
@@ -511,7 +536,7 @@ static err_t tcp_filter_with_wolfsentry(
511536
#endif
512537

513538
if (wolfsentry == NULL)
514-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
539+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
515540

516541
switch(event->reason) {
517542
case FILT_ACCEPTING:
@@ -589,7 +614,7 @@ static err_t tcp_filter_with_wolfsentry(
589614
case FILT_DISSOCIATE:
590615
case FILT_ADDR_UNREACHABLE:
591616
/* can't happen. */
592-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
617+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
593618
}
594619

595620
#if LWIP_IPV6
@@ -658,10 +683,12 @@ static err_t tcp_filter_with_wolfsentry(
658683

659684
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
660685

661-
if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
662-
ret = ERR_RST;
686+
if (WOLFSENTRY_IS_FAILURE(ws_ret))
687+
ret = lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT) ? ERR_ABRT : ERR_OK;
663688
else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
664689
ret = ERR_ABRT;
690+
else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
691+
ret = ERR_RST;
665692
else
666693
ret = ERR_OK;
667694

@@ -723,7 +750,7 @@ static err_t udp_filter_with_wolfsentry(
723750
#endif
724751

725752
if (wolfsentry == NULL)
726-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
753+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
727754

728755
switch(event->reason) {
729756
case FILT_BINDING:
@@ -778,7 +805,7 @@ static err_t udp_filter_with_wolfsentry(
778805
case FILT_ADDR_UNREACHABLE:
779806
case FILT_CLOSE_WAIT:
780807
/* can't happen. */
781-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
808+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
782809
}
783810

784811
#if LWIP_IPV6
@@ -847,10 +874,12 @@ static err_t udp_filter_with_wolfsentry(
847874

848875
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
849876

850-
if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
851-
ret = ERR_RST;
877+
if (WOLFSENTRY_IS_FAILURE(ws_ret))
878+
ret = lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT) ? ERR_ABRT : ERR_OK;
852879
else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
853880
ret = ERR_ABRT;
881+
else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
882+
ret = ERR_RST;
854883
else
855884
ret = ERR_OK;
856885

@@ -910,7 +939,7 @@ static err_t icmp4_filter_with_wolfsentry(
910939
#endif
911940

912941
if (wolfsentry == NULL)
913-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
942+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
914943

915944
switch(event->reason) {
916945
case FILT_RECEIVING:
@@ -945,7 +974,7 @@ static err_t icmp4_filter_with_wolfsentry(
945974
case FILT_STOP_LISTENING:
946975
case FILT_CLOSE_WAIT:
947976
/* can't happen. */
948-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
977+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
949978
}
950979

951980
remote.remote.sa_family = WOLFSENTRY_AF_INET;
@@ -995,7 +1024,9 @@ static err_t icmp4_filter_with_wolfsentry(
9951024

9961025
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
9971026

998-
if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
1027+
if (WOLFSENTRY_IS_FAILURE(ws_ret))
1028+
ret = lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT) ? ERR_ABRT : ERR_OK;
1029+
else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
9991030
ret = ERR_ABRT;
10001031
else
10011032
ret = ERR_OK;
@@ -1046,7 +1077,7 @@ static err_t icmp6_filter_with_wolfsentry(
10461077
#endif
10471078

10481079
if (wolfsentry == NULL)
1049-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
1080+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
10501081

10511082
switch(event->reason) {
10521083
case FILT_RECEIVING:
@@ -1081,7 +1112,7 @@ static err_t icmp6_filter_with_wolfsentry(
10811112
case FILT_STOP_LISTENING:
10821113
case FILT_CLOSE_WAIT:
10831114
/* can't happen. */
1084-
WOLFSENTRY_RETURN_VALUE(ERR_OK);
1115+
WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
10851116
}
10861117

10871118
remote.remote.sa_family = WOLFSENTRY_AF_INET6;
@@ -1131,7 +1162,9 @@ static err_t icmp6_filter_with_wolfsentry(
11311162

11321163
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
11331164

1134-
if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
1165+
if (WOLFSENTRY_IS_FAILURE(ws_ret))
1166+
ret = lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT) ? ERR_ABRT : ERR_OK;
1167+
else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
11351168
ret = ERR_ABRT;
11361169
else
11371170
ret = ERR_OK;

src/wolfip/packet_filter_glue.c

Lines changed: 38 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -129,6 +129,26 @@ static int wolfip_action_rejects(wolfsentry_action_res_t action_results)
129129
return 0;
130130
}
131131

132+
/* On a dispatch failure the action_results are not trustworthy. Fall back to
133+
* the context's configured default policy: reject only if that policy rejects,
134+
* or if it can't be determined (including a NULL context).
135+
*/
136+
static int wolfip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_IN)
137+
{
138+
wolfsentry_action_res_t default_policy;
139+
wolfsentry_errcode_t ws_ret;
140+
if (wolfsentry == NULL)
141+
return 1;
142+
ws_ret = wolfsentry_context_lock_shared(WOLFSENTRY_CONTEXT_ARGS_OUT);
143+
if (WOLFSENTRY_IS_FAILURE(ws_ret))
144+
return 1;
145+
ws_ret = wolfsentry_route_default_policy_get(WOLFSENTRY_CONTEXT_ARGS_OUT, &default_policy);
146+
(void)wolfsentry_context_unlock(WOLFSENTRY_CONTEXT_ARGS_OUT);
147+
if (WOLFSENTRY_IS_FAILURE(ws_ret))
148+
return 1;
149+
return WOLFSENTRY_MASKIN_BITS(default_policy, WOLFSENTRY_ACTION_RES_REJECT) ? 1 : 0;
150+
}
151+
132152
static int wolfip_dispatch_event(
133153
struct wolfsentry_context *wolfsentry,
134154
wolfsentry_route_flags_t route_flags,
@@ -138,10 +158,11 @@ static int wolfip_dispatch_event(
138158
const struct wolfIP_filter_event *event)
139159
{
140160
wolfsentry_errcode_t ws_ret;
161+
int reject;
141162
WOLFSENTRY_THREAD_HEADER_DECLS
142163

143164
if (wolfsentry == NULL)
144-
return 0;
165+
return -WOLFIP_EACCES;
145166

146167
if (WOLFSENTRY_THREAD_HEADER_INIT(WOLFSENTRY_THREAD_FLAG_NONE) < 0)
147168
return -WOLFIP_EACCES;
@@ -160,10 +181,15 @@ static int wolfip_dispatch_event(
160181

161182
WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
162183

184+
if (WOLFSENTRY_IS_FAILURE(ws_ret))
185+
reject = wolfip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT);
186+
else
187+
reject = wolfip_action_rejects(*action_results);
188+
163189
if (WOLFSENTRY_THREAD_TAILER(WOLFSENTRY_THREAD_FLAG_NONE) < 0)
164190
return -WOLFIP_EACCES;
165191

166-
if (wolfip_action_rejects(*action_results))
192+
if (reject)
167193
return -WOLFIP_EACCES;
168194

169195
return 0;
@@ -209,7 +235,7 @@ static int wolfip_filter_ethernet(
209235
action_results = WOLFSENTRY_ACTION_RES_SOCK_ERROR;
210236
break;
211237
default:
212-
return 0;
238+
return -WOLFIP_EACCES;
213239
}
214240

215241
wolfip_set_link_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -261,7 +287,7 @@ static int wolfip_filter_ipv4(
261287
action_results = WOLFSENTRY_ACTION_RES_SOCK_ERROR;
262288
break;
263289
default:
264-
return 0;
290+
return -WOLFIP_EACCES;
265291
}
266292

267293
wolfip_set_ipv4_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -360,7 +386,7 @@ static int wolfip_filter_tcp(
360386
action_results = WOLFSENTRY_ACTION_RES_DEROGATORY;
361387
break;
362388
default:
363-
return 0;
389+
return -WOLFIP_EACCES;
364390
}
365391

366392
wolfip_set_ipv4_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -442,7 +468,7 @@ static int wolfip_filter_udp(
442468
WOLFSENTRY_ACTION_RES_EXCLUDE_REJECT_ROUTES;
443469
break;
444470
default:
445-
return 0;
471+
return -WOLFIP_EACCES;
446472
}
447473

448474
wolfip_set_ipv4_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -504,7 +530,7 @@ static int wolfip_filter_icmp(
504530
action_results = WOLFSENTRY_ACTION_RES_SOCK_ERROR;
505531
break;
506532
default:
507-
return 0;
533+
return -WOLFIP_EACCES;
508534
}
509535

510536
wolfip_set_ipv4_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -518,8 +544,10 @@ static int wolfip_filter_with_wolfsentry(void *arg, const struct wolfIP_filter_e
518544
{
519545
struct wolfsentry_context *wolfsentry = (struct wolfsentry_context *)arg;
520546

521-
if ((wolfsentry == NULL) || (event == NULL))
522-
return 0;
547+
if (wolfsentry == NULL)
548+
return -WOLFIP_EACCES;
549+
if (event == NULL)
550+
return -WOLFIP_EACCES;
523551

524552
switch (event->meta.ip_proto) {
525553
case WOLFIP_FILTER_PROTO_ETH:
@@ -533,7 +561,7 @@ static int wolfip_filter_with_wolfsentry(void *arg, const struct wolfIP_filter_e
533561
case WOLFIP_FILTER_PROTO_ICMP:
534562
return wolfip_filter_icmp(wolfsentry, event);
535563
default:
536-
return 0;
564+
return -WOLFIP_EACCES;
537565
}
538566
}
539567

0 commit comments

Comments
 (0)