Harden fail-closed handling, fix mutex leaks, and add mutation-verified tests

src/events.c

@@ -363,7 +363,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_event_update_config(WOLFSENTRY_CO
     WOLFSENTRY_MUTEX_OR_RETURN();
 
     ret = wolfsentry_event_get_1(WOLFSENTRY_CONTEXT_ARGS_OUT, label, label_len, &event);
-    WOLFSENTRY_RERETURN_IF_ERROR(ret);
+    WOLFSENTRY_UNLOCK_AND_RERETURN_IF_ERROR(ret);
 
     if (event->config == NULL) {
         if ((event->config = (struct wolfsentry_eventconfig_internal *)WOLFSENTRY_MALLOC(sizeof *event->config)) == NULL)
@@ -618,7 +618,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_event_set_aux_event(
     WOLFSENTRY_MUTEX_OR_RETURN();
 
     ret = wolfsentry_event_get_reference(WOLFSENTRY_CONTEXT_ARGS_OUT, event_label, event_label_len, &event);
-    WOLFSENTRY_RERETURN_IF_ERROR(ret);
+    WOLFSENTRY_UNLOCK_AND_RERETURN_IF_ERROR(ret);
     if (WOLFSENTRY_CHECK_BITS(event->flags, WOLFSENTRY_EVENT_FLAG_IS_SUBEVENT)) {
         ret = WOLFSENTRY_ERROR_ENCODE(INCOMPATIBLE_STATE);
         goto out;

src/json/load_config.c

@@ -876,6 +876,8 @@ static wolfsentry_errcode_t handle_route_endpoint_clause(struct wolfsentry_json_
     }
 #endif
     else if (! strcmp(jps->cur_keyname, "prefix-bits")) {
+        wolfsentry_addr_bits_t max_bits;
+        wolfsentry_errcode_t ret;
         if (sa->sa_family == WOLFSENTRY_AF_UNSPEC)
             WOLFSENTRY_ERROR_RETURN(CONFIG_OUT_OF_SEQUENCE);
 #ifdef WOLFSENTRY_ADDR_BITMASK_MATCHING
@@ -888,7 +890,16 @@ static wolfsentry_errcode_t handle_route_endpoint_clause(struct wolfsentry_json_
             WOLFSENTRY_ERROR_RETURN(CONFIG_MISPLACED_KEY);
         }
 #endif
-        WOLFSENTRY_ERROR_RERETURN(convert_uint16(type, data, data_size, &sa->addr_len));
+        ret = convert_uint16(type, data, data_size, &sa->addr_len);
+        WOLFSENTRY_RERETURN_IF_ERROR(ret);
+        ret = wolfsentry_addr_family_max_addr_bits(
+            JPS_WOLFSENTRY_CONTEXT_ARGS_OUT,
+            sa->sa_family,
+            &max_bits);
+        WOLFSENTRY_RERETURN_IF_ERROR(ret);
+        if (sa->addr_len > max_bits)
+            WOLFSENTRY_ERROR_RETURN(NUMERIC_ARG_TOO_BIG);
+        WOLFSENTRY_RETURN_OK;
     }
     else if (! strcmp(jps->cur_keyname, "interface")) {
         WOLFSENTRY_CLEAR_BITS(jps->o_u_c.route.flags,

src/lwip/packet_filter_glue.c

@@ -63,6 +63,25 @@
     }
 #endif
 
+/* On a dispatch failure the action_results are not trustworthy.  Fall back to
+ * the context's configured default policy: reject only if that policy rejects,
+ * or if it can't be determined (including a NULL context).
+ */
+static int lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_IN) {
+    wolfsentry_action_res_t default_policy;
+    wolfsentry_errcode_t ws_ret;
+    if (wolfsentry == NULL)
+        return 1;
+    ws_ret = wolfsentry_context_lock_shared(WOLFSENTRY_CONTEXT_ARGS_OUT);
+    if (WOLFSENTRY_IS_FAILURE(ws_ret))
+        return 1;
+    ws_ret = wolfsentry_route_default_policy_get(WOLFSENTRY_CONTEXT_ARGS_OUT, &default_policy);
+    (void)wolfsentry_context_unlock(WOLFSENTRY_CONTEXT_ARGS_OUT);
+    if (WOLFSENTRY_IS_FAILURE(ws_ret))
+        return 1;
+    return WOLFSENTRY_MASKIN_BITS(default_policy, WOLFSENTRY_ACTION_RES_REJECT) ? 1 : 0;
+}
+
 #if LWIP_ARP || LWIP_ETHERNET
 
 #include "netif/ethernet.h"
@@ -101,7 +120,7 @@ static err_t ethernet_filter_with_wolfsentry(
 #endif
 
     if (wolfsentry == NULL)
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
 
     switch(event->reason) {
     case FILT_RECEIVING:
@@ -132,7 +151,7 @@ static err_t ethernet_filter_with_wolfsentry(
     case FILT_LISTENING:
     case FILT_STOP_LISTENING:
         /* can't happen. */
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
     }
 
     remote.remote.sa_family = WOLFSENTRY_AF_LINK;
@@ -182,7 +201,9 @@ static err_t ethernet_filter_with_wolfsentry(
 
     WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
 
-    if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
+    if (WOLFSENTRY_IS_FAILURE(ws_ret))
+        ret = lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT) ? ERR_ABRT : ERR_OK;
+    else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
         ret = ERR_ABRT;
     else
         ret = ERR_OK;
@@ -238,7 +259,7 @@ static err_t ip4_filter_with_wolfsentry(
 #endif
 
     if (wolfsentry == NULL)
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
 
     switch(event->reason) {
     case FILT_RECEIVING:
@@ -272,7 +293,7 @@ static err_t ip4_filter_with_wolfsentry(
     case FILT_LISTENING:
     case FILT_STOP_LISTENING:
         /* can't happen. */
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
     }
 
     remote.remote.sa_family = WOLFSENTRY_AF_INET;
@@ -322,7 +343,9 @@ static err_t ip4_filter_with_wolfsentry(
 
     WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
 
-    if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
+    if (WOLFSENTRY_IS_FAILURE(ws_ret))
+        ret = lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT) ? ERR_ABRT : ERR_OK;
+    else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
         ret = ERR_ABRT;
     else
         ret = ERR_OK;
@@ -373,7 +396,7 @@ static err_t ip6_filter_with_wolfsentry(
 #endif
 
     if (wolfsentry == NULL)
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
 
     switch(event->reason) {
     case FILT_RECEIVING:
@@ -407,7 +430,7 @@ static err_t ip6_filter_with_wolfsentry(
     case FILT_LISTENING:
     case FILT_STOP_LISTENING:
         /* can't happen. */
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
     }
 
     remote.remote.sa_family = WOLFSENTRY_AF_INET6;
@@ -457,7 +480,9 @@ static err_t ip6_filter_with_wolfsentry(
 
     WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
 
-    if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
+    if (WOLFSENTRY_IS_FAILURE(ws_ret))
+        ret = lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT) ? ERR_ABRT : ERR_OK;
+    else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
         ret = ERR_ABRT;
     else
         ret = ERR_OK;
@@ -511,7 +536,7 @@ static err_t tcp_filter_with_wolfsentry(
 #endif
 
     if (wolfsentry == NULL)
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
 
     switch(event->reason) {
     case FILT_ACCEPTING:
@@ -589,7 +614,7 @@ static err_t tcp_filter_with_wolfsentry(
     case FILT_DISSOCIATE:
     case FILT_ADDR_UNREACHABLE:
         /* can't happen. */
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
     }
 
 #if LWIP_IPV6
@@ -658,10 +683,12 @@ static err_t tcp_filter_with_wolfsentry(
 
     WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
 
-    if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
-        ret = ERR_RST;
+    if (WOLFSENTRY_IS_FAILURE(ws_ret))
+        ret = lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT) ? ERR_ABRT : ERR_OK;
     else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
         ret = ERR_ABRT;
+    else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
+        ret = ERR_RST;
     else
         ret = ERR_OK;
 
@@ -723,7 +750,7 @@ static err_t udp_filter_with_wolfsentry(
 #endif
 
     if (wolfsentry == NULL)
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
 
     switch(event->reason) {
     case FILT_BINDING:
@@ -778,7 +805,7 @@ static err_t udp_filter_with_wolfsentry(
     case FILT_ADDR_UNREACHABLE:
     case FILT_CLOSE_WAIT:
         /* can't happen. */
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
     }
 
 #if LWIP_IPV6
@@ -847,10 +874,12 @@ static err_t udp_filter_with_wolfsentry(
 
     WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
 
-    if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
-        ret = ERR_RST;
+    if (WOLFSENTRY_IS_FAILURE(ws_ret))
+        ret = lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT) ? ERR_ABRT : ERR_OK;
     else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
         ret = ERR_ABRT;
+    else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
+        ret = ERR_RST;
     else
         ret = ERR_OK;
 
@@ -910,7 +939,7 @@ static err_t icmp4_filter_with_wolfsentry(
 #endif
 
     if (wolfsentry == NULL)
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
 
     switch(event->reason) {
     case FILT_RECEIVING:
@@ -945,7 +974,7 @@ static err_t icmp4_filter_with_wolfsentry(
     case FILT_STOP_LISTENING:
     case FILT_CLOSE_WAIT:
         /* can't happen. */
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
     }
 
     remote.remote.sa_family = WOLFSENTRY_AF_INET;
@@ -995,7 +1024,9 @@ static err_t icmp4_filter_with_wolfsentry(
 
     WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
 
-    if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
+    if (WOLFSENTRY_IS_FAILURE(ws_ret))
+        ret = lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT) ? ERR_ABRT : ERR_OK;
+    else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
         ret = ERR_ABRT;
     else
         ret = ERR_OK;
@@ -1046,7 +1077,7 @@ static err_t icmp6_filter_with_wolfsentry(
 #endif
 
     if (wolfsentry == NULL)
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
 
     switch(event->reason) {
     case FILT_RECEIVING:
@@ -1081,7 +1112,7 @@ static err_t icmp6_filter_with_wolfsentry(
     case FILT_STOP_LISTENING:
     case FILT_CLOSE_WAIT:
         /* can't happen. */
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
     }
 
     remote.remote.sa_family = WOLFSENTRY_AF_INET6;
@@ -1131,7 +1162,9 @@ static err_t icmp6_filter_with_wolfsentry(
 
     WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
 
-    if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
+    if (WOLFSENTRY_IS_FAILURE(ws_ret))
+        ret = lwip_ws_failure_rejects(WOLFSENTRY_CONTEXT_ARGS_OUT) ? ERR_ABRT : ERR_OK;
+    else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
         ret = ERR_ABRT;
     else
         ret = ERR_OK;