wolfSSL · douzzer · Apr 17, 2026 · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
diff --git a/src/addr_families.c b/src/addr_families.c
@@ -324,7 +324,7 @@ WOLFSENTRY_LOCAL wolfsentry_errcode_t wolfsentry_addr_family_clone(
     if ((*new_bynumber = (struct wolfsentry_addr_family_bynumber *)WOLFSENTRY_MALLOC_1(dest_context->hpi.allocator, sizeof **new_bynumber)) == NULL)
         WOLFSENTRY_ERROR_RETURN(SYS_RESOURCE_FAILED);
     if ((*new_byname = (struct wolfsentry_addr_family_byname *)WOLFSENTRY_MALLOC_1(dest_context->hpi.allocator, byname_size)) == NULL) {
-        (void)WOLFSENTRY_FREE_1(dest_context->hpi.allocator, (void *)new_byname);
+        (void)WOLFSENTRY_FREE_1(dest_context->hpi.allocator, (void *)*new_bynumber);
         WOLFSENTRY_ERROR_RETURN(SYS_RESOURCE_FAILED);
     }
     memcpy(*new_bynumber, src_bynumber, sizeof **new_bynumber);

diff --git a/src/json/centijson_dom.c b/src/json/centijson_dom.c
@@ -266,10 +266,17 @@ json_dom_process(JSON_TYPE type, const unsigned char* data, size_t data_size, vo
          * append their json_values. */
         if(dom_parser->path_size >= dom_parser->path_alloc) {
             JSON_VALUE** new_path;
-            size_t new_path_alloc = dom_parser->path_alloc * 2;
+            size_t new_path_alloc;
 
-            if(new_path_alloc == 0)
+            if(dom_parser->path_alloc == 0) {
                 new_path_alloc = 32;
+            }
+            else if(dom_parser->path_alloc > SIZE_MAX / 2 / sizeof(JSON_VALUE*)) {
+                return JSON_ERR_OUTOFMEMORY;
+            }
+            else {
+                new_path_alloc = dom_parser->path_alloc * 2;
+            }
             new_path = (JSON_VALUE**) realloc((void *)dom_parser->path, new_path_alloc * sizeof(JSON_VALUE*));
             if(new_path == NULL)
                 return JSON_ERR_OUTOFMEMORY;
@@ -617,8 +624,14 @@ json_dom_dump_helper(
                     keys_size = json_value_dict_keys_ordered(node, keys, n);
                 else
                     keys_size = json_value_dict_keys_sorted(node, keys, n);
-                if (keys_size != n)
+                if (keys_size != n) {
+#ifdef WOLFSENTRY
+                    json_free(WOLFSENTRY_CONTEXT_ARGS_OUT_EX(allocator), (void *)keys);
+#else
+                    free((void *)keys);
+#endif
                     return JSON_ERR_INTERNAL;
+                }
 
                 for(i = 0; i < n; i++) {
                     JSON_VALUE* json_value;

diff --git a/src/json/centijson_sax.c b/src/json/centijson_sax.c
@@ -857,10 +857,11 @@ json_feed(JSON_PARSER* parser, const unsigned char* input, size_t size)
     {
         /* Update parser->pos to point to the exact place. */
         while(parser->pos.offset < parser->config.max_total_len) {
+            ch = input[off];
+            off++;
             parser->pos.offset++;
             parser->pos.column_number++;
-            off++;
-            json_handle_new_line(parser, input[off]);
+            json_handle_new_line(parser, ch);
         }
 
         json_raise(parser, JSON_ERR_MAXTOTALLEN);
@@ -891,10 +892,18 @@ json_feed(JSON_PARSER* parser, const unsigned char* input, size_t size)
 
             if(parser->nesting_level >= parser->nesting_stack_size) {
                 unsigned char* new_nesting_stack;
-                size_t new_nesting_stack_size = parser->nesting_stack_size * 2;
+                size_t new_nesting_stack_size;
 
-                if(new_nesting_stack_size == 0)
+                if(parser->nesting_stack_size == 0) {
                     new_nesting_stack_size = 32;
+                }
+                else if(parser->nesting_stack_size > SIZE_MAX / 2) {
+                    json_raise(parser, JSON_ERR_OUTOFMEMORY);
+                    break;
+                }
+                else {
+                    new_nesting_stack_size = parser->nesting_stack_size * 2;
+                }
                 new_nesting_stack = (unsigned char *)realloc(parser->nesting_stack, new_nesting_stack_size);
                 if(new_nesting_stack == NULL) {
                     json_raise(parser, JSON_ERR_OUTOFMEMORY);

diff --git a/src/json/centijson_value.c b/src/json/centijson_value.c
@@ -1794,15 +1794,21 @@ json_value_dict_clean(
             WOLFSENTRY_CONTEXT_ARGS_OUT_EX(allocator),
 #endif
             &node->key);
-        if (ret < 0)
+        if (ret < 0) {
+            free(node);
+            free((void *)stack);
             return ret;
+        }
         ret = json_value_fini(
 #ifdef WOLFSENTRY
             WOLFSENTRY_CONTEXT_ARGS_OUT_EX(allocator),
 #endif
             &node->json_value);
-        if (ret < 0)
+        if (ret < 0) {
+            free(node);
+            free((void *)stack);
             return ret;
+        }
         free(node);
 
         stack_size += json_value_dict_leftmost_path(stack + stack_size, right);
@@ -1928,40 +1934,40 @@ json_value_clone(WOLFSENTRY_CONTEXT_ARGS_IN_EX(struct wolfsentry_allocator *allo
                         break;
                     }
                     ret = json_value_clone(WOLFSENTRY_CONTEXT_ARGS_OUT_EX(allocator), &src_dict_node->json_value, dest_node);
+                    if (ret < 0)
+                        break;
                     src_dict_node = src_dict_node->order_next;
                 }
             } else {
                 int stack_size;
                 RBTREE **stack = (RBTREE **)malloc(rbtree_stack_size_needed(src_dict)); /* put this on the heap to avoid runaway growth of stack on deep JSON trees. */
                 if (! stack) {
                     ret = JSON_ERR_OUTOFMEMORY;
-                    break;
-                }
-
-                stack_size = json_value_dict_leftmost_path(stack, src_dict->root);
-
-                while(stack_size > 0) {
-                    src_dict_node = stack[--stack_size];
-                    dest_node = json_value_dict_get_or_add_(WOLFSENTRY_CONTEXT_ARGS_OUT_EX(allocator), clone, json_value_string(&src_dict_node->key), json_value_string_length(&src_dict_node->key));
-                    if (! dest_node) {
-                        ret = JSON_ERR_OUTOFMEMORY;
-                        break;
+                } else {
+                    stack_size = json_value_dict_leftmost_path(stack, src_dict->root);
+
+                    while(stack_size > 0) {
+                        src_dict_node = stack[--stack_size];
+                        dest_node = json_value_dict_get_or_add_(WOLFSENTRY_CONTEXT_ARGS_OUT_EX(allocator), clone, json_value_string(&src_dict_node->key), json_value_string_length(&src_dict_node->key));
+                        if (! dest_node) {
+                            ret = JSON_ERR_OUTOFMEMORY;
+                            break;
+                        }
+                        ret = json_value_clone(WOLFSENTRY_CONTEXT_ARGS_OUT_EX(allocator), &src_dict_node->json_value, dest_node);
+                        if (ret < 0)
+                            break;
+                        stack_size += json_value_dict_leftmost_path(stack + stack_size, src_dict_node->right);
                     }
-                    ret = json_value_clone(WOLFSENTRY_CONTEXT_ARGS_OUT_EX(allocator), &src_dict_node->json_value, dest_node);
-                    if (ret < 0)
-                        break;
-                    stack_size += json_value_dict_leftmost_path(stack + stack_size, src_dict_node->right);
-                }
-
-                free((void *)stack);
 
-                break;
+                    free((void *)stack);
+                }
             }
             if (ret < 0) {
                 int ret2 = json_value_fini(WOLFSENTRY_CONTEXT_ARGS_OUT_EX(allocator), clone);
                 if (ret2 < 0)
                     WOLFSENTRY_WARN("json_value_fini: %s\n", json_error_str(ret2));
             }
+            break;
         }
     }
 

diff --git a/src/json/load_config.c b/src/json/load_config.c
@@ -26,6 +26,7 @@
 #define WOLFSENTRY_SOURCE_ID WOLFSENTRY_SOURCE_ID_JSON_LOAD_CONFIG_C
 
 #include <stdlib.h>
+#include <limits.h>
 
 #define MAX_IPV4_ADDR_BITS (sizeof(struct in_addr) * BITS_PER_BYTE)
 #define MAX_IPV6_ADDR_BITS (sizeof(struct in6_addr) * BITS_PER_BYTE)
@@ -384,12 +385,18 @@ static wolfsentry_errcode_t convert_wolfsentry_duration(struct wolfsentry_contex
 
     switch (*endptr) {
     case 'd':
+        if (conv > LONG_MAX / 24 || conv < LONG_MIN / 24)
+            WOLFSENTRY_ERROR_RETURN(CONFIG_INVALID_VALUE);
         conv *= 24;
         /* fallthrough */
     case 'h':
+        if (conv > LONG_MAX / 60 || conv < LONG_MIN / 60)
+            WOLFSENTRY_ERROR_RETURN(CONFIG_INVALID_VALUE);
         conv *= 60;
         /* fallthrough */
     case 'm':
+        if (conv > LONG_MAX / 60 || conv < LONG_MIN / 60)
+            WOLFSENTRY_ERROR_RETURN(CONFIG_INVALID_VALUE);
         conv *= 60;
         /* fallthrough */
     case 's':
@@ -1968,7 +1975,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_config_json_fini(
         struct wolfsentry_route_table *old_route_table, *new_route_table;
         if ((ret = wolfsentry_route_get_main_table(JPSP_WOLFSENTRY_ACTUAL_CONTEXT_ARGS_OUT, &old_route_table)) < 0)
             goto out;
-        if ((ret = wolfsentry_route_get_main_table(JPSP_WOLFSENTRY_ACTUAL_CONTEXT_ARGS_OUT, &new_route_table)) < 0)
+        if ((ret = wolfsentry_route_get_main_table(JPSP_WOLFSENTRY_CONTEXT_ARGS_OUT, &new_route_table)) < 0)
             goto out;
         if (wolfsentry_table_n_deletes((struct wolfsentry_table_header *)new_route_table)
             != wolfsentry_table_n_deletes((struct wolfsentry_table_header *)old_route_table))

diff --git a/src/kv.c b/src/kv.c
@@ -1054,7 +1054,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_user_value_get_json(
     struct wolfsentry_kv_pair_internal **user_value_record)
 {
     wolfsentry_errcode_t ret;
-    if ((ret = wolfsentry_kv_get_reference(WOLFSENTRY_CONTEXT_ARGS_OUT, wolfsentry->user_values, key, key_len, WOLFSENTRY_KV_STRING, user_value_record)) < 0)
+    if ((ret = wolfsentry_kv_get_reference(WOLFSENTRY_CONTEXT_ARGS_OUT, wolfsentry->user_values, key, key_len, WOLFSENTRY_KV_JSON, user_value_record)) < 0)
         WOLFSENTRY_ERROR_RERETURN(ret);
     *value = WOLFSENTRY_KV_V_JSON(&(*user_value_record)->kv);
     WOLFSENTRY_RETURN_OK;

diff --git a/src/lwip/packet_filter_glue.c b/src/lwip/packet_filter_glue.c
@@ -1098,10 +1098,10 @@ static err_t icmp6_filter_with_wolfsentry(
     else
         memset(&local.local.addr, 0, sizeof *laddr);
 
-    remote.remote.sa_proto = IPPROTO_ICMP;
+    remote.remote.sa_proto = IPPROTO_ICMPV6;
     remote.remote.sa_port = 0;
 
-    local.local.sa_proto = IPPROTO_ICMP;
+    local.local.sa_proto = IPPROTO_ICMPV6;
     local.local.sa_port = icmp6_type;
 
     if (event->netif)

diff --git a/src/routes.c b/src/routes.c
@@ -520,7 +520,7 @@ static int compare_match_exactness(const struct wolfsentry_route *target, const
         } else
 #endif
         {
-            right_match_score = addr_prefix_match_size(WOLFSENTRY_ROUTE_LOCAL_ADDR(target), WOLFSENTRY_ROUTE_LOCAL_ADDR_BITS(target), WOLFSENTRY_ROUTE_LOCAL_ADDR(right), WOLFSENTRY_ROUTE_LOCAL_ADDR_BITS(right));
+            right_match_score = addr_prefix_match_size(WOLFSENTRY_ROUTE_REMOTE_ADDR(target), WOLFSENTRY_ROUTE_REMOTE_ADDR_BITS(target), WOLFSENTRY_ROUTE_REMOTE_ADDR(right), WOLFSENTRY_ROUTE_REMOTE_ADDR_BITS(right));
         }
     }
 
@@ -2366,6 +2366,9 @@ static wolfsentry_errcode_t wolfsentry_route_event_dispatch_0(
     wolfsentry_route_flags_t current_rule_route_flags;
     wolfsentry_errcode_t ret;
     wolfsentry_time_t now;
+    int penalty_triggered = 0;
+    wolfsentry_hitcount_t derog_snap;
+    wolfsentry_hitcount_t commend_snap;
 
     if (target_route == NULL)
         WOLFSENTRY_ERROR_RETURN(INVALID_ARG);
@@ -2553,18 +2556,25 @@ static wolfsentry_errcode_t wolfsentry_route_event_dispatch_0(
         }
     }
 
+    /* Snapshot atomic counts once so the guard and arithmetic operate on the
+     * same values (avoid TOCTOU between successive loads). */
+    derog_snap = WOLFSENTRY_ATOMIC_LOAD(rule_route->meta.derogatory_count);
+    commend_snap = WOLFSENTRY_ATOMIC_LOAD(rule_route->meta.commendable_count);
+    if (config->config.derogatory_threshold_for_penaltybox > 0) {
+        if (config->config.flags & WOLFSENTRY_EVENTCONFIG_FLAG_DEROGATORY_THRESHOLD_IGNORE_COMMENDABLE) {
+            penalty_triggered = (derog_snap >= config->config.derogatory_threshold_for_penaltybox);
+        } else {
+            penalty_triggered = (derog_snap >= commend_snap)
+                && ((derog_snap - commend_snap)
+                    >= config->config.derogatory_threshold_for_penaltybox);
+        }
+    }
+
     if (current_rule_route_flags & WOLFSENTRY_ROUTE_FLAG_PENALTYBOXED) {
         *action_results |= WOLFSENTRY_ACTION_RES_REJECT;
         ret = WOLFSENTRY_ERROR_ENCODE(OK);
         goto done;
-    } else if ((config->config.derogatory_threshold_for_penaltybox > 0)
-               && ((config->config.flags & WOLFSENTRY_EVENTCONFIG_FLAG_DEROGATORY_THRESHOLD_IGNORE_COMMENDABLE) ?
-                   (WOLFSENTRY_ATOMIC_LOAD(rule_route->meta.derogatory_count)
-                    >= config->config.derogatory_threshold_for_penaltybox)
-                   :
-                   (WOLFSENTRY_ATOMIC_LOAD(rule_route->meta.derogatory_count)
-                    - WOLFSENTRY_ATOMIC_LOAD(rule_route->meta.commendable_count)
-                    >= (int)config->config.derogatory_threshold_for_penaltybox)))
+    } else if (penalty_triggered)
     {
         wolfsentry_route_flags_t flags_before;
         WOLFSENTRY_WARN_ON_FAILURE(
@@ -2961,6 +2971,10 @@ static wolfsentry_errcode_t wolfsentry_route_event_dispatch_by_route_1(
             goto out;
     }
 
+    if (route->header.parent_table == NULL) {
+        ret = WOLFSENTRY_ERROR_ENCODE(INTERNAL_CHECK_FATAL);
+        goto out;
+    }
     if (route->header.parent_table->ent_type != WOLFSENTRY_OBJECT_TYPE_ROUTE) {
         ret = WOLFSENTRY_ERROR_ENCODE(WRONG_OBJECT);
         goto out;
@@ -3095,7 +3109,7 @@ static wolfsentry_errcode_t wolfsentry_route_stale_purge_1(
                 (! (route->flags & WOLFSENTRY_ROUTE_FLAG_PENDING_DELETE)) &&
                 ((table->max_purgeable_idle_time == 0) || (now - route->meta.last_hit_time > table->max_purgeable_idle_time)))
             {
-                continue;
+                break;
             }
         }
 #ifdef WOLFSENTRY_THREADSAFE
@@ -3545,9 +3559,9 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_route_table_get_default_event(
     char *event_label,
     int *event_label_len)
 {
-    if (table->default_event == NULL)
-        WOLFSENTRY_ERROR_RETURN(ITEM_NOT_FOUND);
     WOLFSENTRY_SHARED_OR_RETURN();
+    if (table->default_event == NULL)
+        WOLFSENTRY_ERROR_UNLOCK_AND_RETURN(ITEM_NOT_FOUND);
     if (table->default_event->label_len >= *event_label_len)
         WOLFSENTRY_ERROR_UNLOCK_AND_RETURN(BUFFER_TOO_SMALL);
     memcpy(event_label, table->default_event->label, (size_t)(table->default_event->label_len + 1));
@@ -3776,7 +3790,7 @@ WOLFSENTRY_API int wolfsentry_inet6_ntoa(const byte *addr, unsigned int addr_bit
     int i;
     const char *start_buf = buf;
     int this_zerospan_length = 0;
-    int this_zerospan_offset;
+    int this_zerospan_offset = 0;
     int longest_zerospan_length = 0;
     int longest_zerospan_offset = 0;
 
@@ -4433,8 +4447,6 @@ static wolfsentry_errcode_t wolfsentry_route_render_address(WOLFSENTRY_CONTEXT_A
         int fmt_buf_len = (int)sizeof(fmt_buf);
         int ret = wolfsentry_inet6_ntoa(addr, addr_bits, fmt_buf, &fmt_buf_len);
         WOLFSENTRY_RERETURN_IF_ERROR(ret);
-        if (fprintf(f, "%.*s/%u", fmt_buf_len, fmt_buf, addr_bits) < 0)
-            WOLFSENTRY_ERROR_RETURN(IO_FAILED);
         if (fprintf(f, "[%.*s]/%u", fmt_buf_len, fmt_buf, addr_bits) < 0)
             WOLFSENTRY_ERROR_RETURN(IO_FAILED);
     } else if (sa_family == WOLFSENTRY_AF_LOCAL) {
@@ -4517,7 +4529,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_route_render_flags(wolfsentry_rou
         } else
             already = 1;
         if (rendername == NULL) {
-            if (fprintf(stderr, "unk-0x%x", masked_flags) < 0)
+            if (fprintf(f, "unk-0x%x", masked_flags) < 0)
                 WOLFSENTRY_ERROR_RETURN(IO_FAILED);
         } else {
             if (fputs(rendername, f) < 0)
@@ -4536,7 +4548,7 @@ static wolfsentry_errcode_t wolfsentry_route_render_endpoint(WOLFSENTRY_CONTEXT_
     const byte *addr = (sa_local_p ? WOLFSENTRY_ROUTE_LOCAL_ADDR(r) : WOLFSENTRY_ROUTE_REMOTE_ADDR(r));
 
     if (sa_local_p ? (r->flags & WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_ADDR_WILDCARD) : (r->flags & WOLFSENTRY_ROUTE_FLAG_SA_REMOTE_ADDR_WILDCARD)) {
-        if (fputs("*", stdout) < 0)
+        if (fputs("*", f) < 0)
             WOLFSENTRY_ERROR_RETURN(IO_FAILED);
     }
 #ifdef WOLFSENTRY_ADDR_BITMASK_MATCHING
@@ -4642,7 +4654,7 @@ static wolfsentry_errcode_t wolfsentry_route_exports_render_endpoint(WOLFSENTRY_
     const byte *addr = (sa_local_p ? r->local_address : r->remote_address);
 
     if (sa_local_p ? (r->flags & WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_ADDR_WILDCARD) : (r->flags & WOLFSENTRY_ROUTE_FLAG_SA_REMOTE_ADDR_WILDCARD)) {
-        if (fputs("*", stdout) < 0)
+        if (fputs("*", f) < 0)
             WOLFSENTRY_ERROR_RETURN(IO_FAILED);
     }
 #ifdef WOLFSENTRY_ADDR_BITMASK_MATCHING