Correctness and memory-safety hardening across lock, route, and config paths

src/actions.c

@@ -425,7 +425,11 @@ WOLFSENTRY_LOCAL wolfsentry_errcode_t wolfsentry_action_list_insert_after(
     }
     ret = wolfsentry_action_list_insert_after_1(WOLFSENTRY_CONTEXT_ARGS_OUT, action_list, action, point_action);
     ret2 = wolfsentry_action_drop_reference(WOLFSENTRY_CONTEXT_ARGS_OUT, point_action, NULL /* action_results */);
-    WOLFSENTRY_RERETURN_IF_ERROR(ret2);
+    /* a drop-reference failure here leaks one refcount on point_action, but
+     * don't promote it to the caller's return code: the insert result is the
+     * caller-visible outcome, and returning ret2 would invite a bogus rollback.
+     */
+    WOLFSENTRY_WARN_ON_FAILURE(ret2);
     if (ret < 0) {
         WOLFSENTRY_WARN_ON_FAILURE(wolfsentry_action_drop_reference(WOLFSENTRY_CONTEXT_ARGS_OUT, action, NULL /* action_results */));
         WOLFSENTRY_ERROR_UNLOCK_AND_RERETURN(ret);

src/addr_families.c

@@ -773,6 +773,8 @@ static wolfsentry_errcode_t wolfsentry_addr_family_ntop_1(
         { *family_name = "HYLINK"; WOLFSENTRY_RETURN_OK; }
     case WOLFSENTRY_AF_LINK:
         { *family_name = "LINK"; WOLFSENTRY_RETURN_OK; }
+    case WOLFSENTRY_AF_LINK64:
+        { *family_name = "LINK64"; WOLFSENTRY_RETURN_OK; }
     case WOLFSENTRY_AF_COIP:
         { *family_name = "COIP"; WOLFSENTRY_RETURN_OK; }
     case WOLFSENTRY_AF_CNT:

src/events.c

@@ -348,7 +348,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_event_get_config(WOLFSENTRY_CONTE
     WOLFSENTRY_SHARED_OR_RETURN();
 
     ret = wolfsentry_event_get_1(WOLFSENTRY_CONTEXT_ARGS_OUT, label, label_len, &event);
-    WOLFSENTRY_RERETURN_IF_ERROR(ret);
+    WOLFSENTRY_UNLOCK_AND_RERETURN_IF_ERROR(ret);
     if (event->config == NULL)
         ret = wolfsentry_eventconfig_get_1(WOLFSENTRY_CONTEXT_ARGS_OUT, &wolfsentry->config, config);
     else
@@ -363,7 +363,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_event_update_config(WOLFSENTRY_CO
     WOLFSENTRY_MUTEX_OR_RETURN();
 
     ret = wolfsentry_event_get_1(WOLFSENTRY_CONTEXT_ARGS_OUT, label, label_len, &event);
-    WOLFSENTRY_RERETURN_IF_ERROR(ret);
+    WOLFSENTRY_UNLOCK_AND_RERETURN_IF_ERROR(ret);
 
     if (event->config == NULL) {
         if ((event->config = (struct wolfsentry_eventconfig_internal *)WOLFSENTRY_MALLOC(sizeof *event->config)) == NULL)
@@ -618,7 +618,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_event_set_aux_event(
     WOLFSENTRY_MUTEX_OR_RETURN();
 
     ret = wolfsentry_event_get_reference(WOLFSENTRY_CONTEXT_ARGS_OUT, event_label, event_label_len, &event);
-    WOLFSENTRY_RERETURN_IF_ERROR(ret);
+    WOLFSENTRY_UNLOCK_AND_RERETURN_IF_ERROR(ret);
     if (WOLFSENTRY_CHECK_BITS(event->flags, WOLFSENTRY_EVENT_FLAG_IS_SUBEVENT)) {
         ret = WOLFSENTRY_ERROR_ENCODE(INCOMPATIBLE_STATE);
         goto out;
@@ -697,7 +697,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_event_action_list_start(
     }
 
     if (w_a_l == NULL)
-        WOLFSENTRY_ERROR_UNLOCK_AND_RETURN(INVALID_ARG);
+        WOLFSENTRY_ERROR_RETURN(INVALID_ARG);
 
     *cursor = (struct wolfsentry_action_list_ent *)w_a_l->header.head;
     if (*cursor == NULL)

src/json/load_config.c

@@ -1711,6 +1711,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_config_json_init_ex(
     struct wolfsentry_json_process_state **jps)
 {
     wolfsentry_errcode_t ret;
+    int locked = 0;
     static const JSON_CALLBACKS json_callbacks = {
 #ifdef WOLFSENTRY_HAVE_DESIGNATED_INITIALIZERS
         .process =
@@ -1720,15 +1721,15 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_config_json_init_ex(
 
     static const JSON_CONFIG default_json_config = {
 #ifdef WOLFSENTRY_HAVE_DESIGNATED_INITIALIZERS
-        .max_total_len = 0,
+        .max_total_len = WOLFSENTRY_MAX_JSON_TOTAL_LEN,
         .max_total_values = 0,
         .max_number_len = 20,
         .max_string_len = WOLFSENTRY_KV_MAX_VALUE_BYTES,
         .max_key_len = WOLFSENTRY_MAX_LABEL_BYTES,
         .max_nesting_level = WOLFSENTRY_MAX_JSON_NESTING,
         .flags = JSON_NOSCALARROOT
 #else
-        0,
+        WOLFSENTRY_MAX_JSON_TOTAL_LEN,
         0,
         20,
         WOLFSENTRY_KV_MAX_VALUE_BYTES,
@@ -1760,44 +1761,49 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_config_json_init_ex(
 #ifdef WOLFSENTRY_HAVE_JSON_DOM
         (*jps)->dom_parser_flags |= JSON_DOM_DUPKEY_ABORT;
 #else
-        WOLFSENTRY_ERROR_RETURN(IMPLEMENTATION_MISSING);
+        { ret = WOLFSENTRY_ERROR_ENCODE(IMPLEMENTATION_MISSING); goto out; }
 #endif
     }
     if (WOLFSENTRY_MASKIN_BITS(load_flags, WOLFSENTRY_CONFIG_LOAD_FLAG_JSON_DOM_DUPKEY_USEFIRST)) {
 #ifdef WOLFSENTRY_HAVE_JSON_DOM
         (*jps)->dom_parser_flags |= JSON_DOM_DUPKEY_USEFIRST;
 #else
-        WOLFSENTRY_ERROR_RETURN(IMPLEMENTATION_MISSING);
+        { ret = WOLFSENTRY_ERROR_ENCODE(IMPLEMENTATION_MISSING); goto out; }
 #endif
     }
     if (WOLFSENTRY_MASKIN_BITS(load_flags, WOLFSENTRY_CONFIG_LOAD_FLAG_JSON_DOM_DUPKEY_USELAST)) {
 #ifdef WOLFSENTRY_HAVE_JSON_DOM
         (*jps)->dom_parser_flags |= JSON_DOM_DUPKEY_USELAST;
 #else
-        WOLFSENTRY_ERROR_RETURN(IMPLEMENTATION_MISSING);
+        { ret = WOLFSENTRY_ERROR_ENCODE(IMPLEMENTATION_MISSING); goto out; }
 #endif
     }
     if (WOLFSENTRY_MASKIN_BITS(load_flags, WOLFSENTRY_CONFIG_LOAD_FLAG_JSON_DOM_MAINTAINDICTORDER)) {
 #ifdef WOLFSENTRY_HAVE_JSON_DOM
         (*jps)->dom_parser_flags |= JSON_DOM_MAINTAINDICTORDER;
 #else
-        WOLFSENTRY_ERROR_RETURN(IMPLEMENTATION_MISSING);
+        { ret = WOLFSENTRY_ERROR_ENCODE(IMPLEMENTATION_MISSING); goto out; }
 #endif
     }
 
 #ifdef WOLFSENTRY_THREADSAFE
     if ((! WOLFSENTRY_MASKIN_BITS(load_flags, WOLFSENTRY_CONFIG_LOAD_FLAG_DRY_RUN|WOLFSENTRY_CONFIG_LOAD_FLAG_LOAD_THEN_COMMIT)) ||
         (thread == NULL))
     {
-        WOLFSENTRY_MUTEX_OR_RETURN();
-    } else if (WOLFSENTRY_MASKIN_BITS(load_flags, WOLFSENTRY_CONFIG_LOAD_FLAG_DRY_RUN))
-        WOLFSENTRY_SHARED_OR_RETURN();
-    else {
+        if ((ret = WOLFSENTRY_MUTEX_EX(wolfsentry)) < 0)
+            goto out;
+    } else if (WOLFSENTRY_MASKIN_BITS(load_flags, WOLFSENTRY_CONFIG_LOAD_FLAG_DRY_RUN)) {
+        /* thread == NULL is already routed to the mutex path above. */
+        if ((ret = WOLFSENTRY_SHARED_EX(wolfsentry)) < 0)
+            goto out;
+    } else {
         ret = WOLFSENTRY_PROMOTABLE_EX(wolfsentry);
-        WOLFSENTRY_RERETURN_IF_ERROR(ret);
+        if (ret < 0)
+            goto out;
         if (WOLFSENTRY_SUCCESS_CODE_IS(ret, LOCK_OK_AND_GOT_RESV))
             (*jps)->got_reservation = 1;
     }
+    locked = 1;
 #endif
 
     (*jps)->wolfsentry_actual = wolfsentry;
@@ -1834,7 +1840,8 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_config_json_init_ex(
 
     /* initialize with defaults already set in context, particularly to pick up route_private_data* fields. */
     ret = wolfsentry_defaultconfig_get(JPSP_WOLFSENTRY_CONTEXT_ARGS_OUT, &(*jps)->default_config);
-    WOLFSENTRY_RERETURN_IF_ERROR(ret);
+    if (ret < 0)
+        goto out;
 
     if (! WOLFSENTRY_MASKIN_BITS(load_flags, WOLFSENTRY_CONFIG_LOAD_FLAG_DRY_RUN|WOLFSENTRY_CONFIG_LOAD_FLAG_NO_FLUSH|WOLFSENTRY_CONFIG_LOAD_FLAG_LOAD_THEN_COMMIT)) {
         if (WOLFSENTRY_CHECK_BITS(load_flags, WOLFSENTRY_CONFIG_LOAD_FLAG_FLUSH_ONLY_ROUTES)) {
@@ -1856,7 +1863,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_config_json_init_ex(
 
     if (ret < 0) {
 #ifdef WOLFSENTRY_THREADSAFE
-        {
+        if (locked) {
             wolfsentry_errcode_t _lock_ret;
             if ((*jps)->got_reservation)
                 _lock_ret = wolfsentry_context_unlock_and_abandon_reservation(wolfsentry, thread);

src/kv.c

@@ -434,7 +434,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_kv_render_value(
         *out_len = snprintf(out, out_space, "%.10f", WOLFSENTRY_KV_V_FLOAT(kv));
         break;
     case WOLFSENTRY_KV_STRING: {
-#ifndef HAVE_JSON_DOM
+#ifndef WOLFSENTRY_HAVE_JSON_DOM
         *out_len = snprintf(out, out_space, "\"%.*s\"", (int)WOLFSENTRY_KV_V_STRING_LEN(kv), WOLFSENTRY_KV_V_STRING(kv));
         break;
 #else
@@ -517,8 +517,11 @@ WOLFSENTRY_LOCAL wolfsentry_errcode_t wolfsentry_kv_clone(
     if (WOLFSENTRY_KV_TYPE(&src_kv_pair->kv) == WOLFSENTRY_KV_JSON) {
         int ret = json_value_clone(WOLFSENTRY_CONTEXT_ARGS_OUT_EX(wolfsentry_get_allocator(dest_context)),
                                    &src_kv_pair->kv.a.v_json, &(*new_kv_pair)->kv.a.v_json);
-        if (ret < 0)
+        if (ret < 0) {
+            WOLFSENTRY_FREE_1(dest_context->hpi.allocator, *new_kv_pair);
+            *new_kv_pair = NULL;
             WOLFSENTRY_ERROR_RERETURN(wolfsentry_centijson_errcode_translate(ret));
+        }
     }
 #endif
 

src/lwip/packet_filter_glue.c

@@ -1228,7 +1228,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_install_lwip_filter_icmp_callback
     WOLFSENTRY_MUTEX_OR_RETURN();
     if (icmp_mask) {
         wolfsentry_errcode_t ret = wolfsentry_cleanup_push(WOLFSENTRY_CONTEXT_ARGS_OUT, wolfsentry_cleanup_lwip_filter_callbacks, NULL);
-        WOLFSENTRY_RERETURN_IF_ERROR(ret);
+        WOLFSENTRY_UNLOCK_AND_RERETURN_IF_ERROR(ret);
     }
 #endif
 #if LWIP_ICMP
@@ -1270,7 +1270,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_install_lwip_filter_tcp_callback(
     WOLFSENTRY_MUTEX_OR_RETURN();
     if (tcp_mask) {
         wolfsentry_errcode_t ret = wolfsentry_cleanup_push(WOLFSENTRY_CONTEXT_ARGS_OUT, wolfsentry_cleanup_lwip_filter_callbacks, NULL);
-        WOLFSENTRY_RERETURN_IF_ERROR(ret);
+        WOLFSENTRY_UNLOCK_AND_RERETURN_IF_ERROR(ret);
         tcp_filter(tcp_filter_with_wolfsentry);
         /* make sure wolfSentry sees the close/reset events that balance earlier
          * accepts, for concurrent-connection accounting purposes.

src/routes.c

@@ -583,10 +583,10 @@ static void wolfsentry_route_update_flags_1(
 
 static void wolfsentry_route_free_1(
     WOLFSENTRY_CONTEXT_ARGS_IN,
-    struct wolfsentry_eventconfig_internal *config,
+    size_t route_private_data_alignment,
     struct wolfsentry_route *route)
 {
-    if (config->config.route_private_data_alignment == 0)
+    if (route_private_data_alignment == 0)
         WOLFSENTRY_FREE(route);
     else
         WOLFSENTRY_FREE_ALIGNED(route);
@@ -599,6 +599,10 @@ static wolfsentry_errcode_t wolfsentry_route_drop_reference_1(
     wolfsentry_action_res_t *action_results)
 {
     struct wolfsentry_eventconfig_internal *config = (route->parent_event && route->parent_event->config) ? route->parent_event->config : &wolfsentry->config;
+    /* snapshot the alignment before dropping the event reference, since the
+     * event (and its config) may be freed by the drop.
+     */
+    size_t route_private_data_alignment = config->config.route_private_data_alignment;
     wolfsentry_errcode_t ret;
     wolfsentry_refcount_t refs_left;
     if (route->header.refcount == 0)
@@ -612,7 +616,7 @@ static wolfsentry_errcode_t wolfsentry_route_drop_reference_1(
         WOLFSENTRY_RETURN_OK;
     if (route->parent_event)
         WOLFSENTRY_WARN_ON_FAILURE(wolfsentry_event_drop_reference(WOLFSENTRY_CONTEXT_ARGS_OUT, route->parent_event, NULL /* action_results */));
-    wolfsentry_route_free_1(WOLFSENTRY_CONTEXT_ARGS_OUT, config, route);
+    wolfsentry_route_free_1(WOLFSENTRY_CONTEXT_ARGS_OUT, route_private_data_alignment, route);
     if (action_results)
         WOLFSENTRY_SET_BITS(*action_results, WOLFSENTRY_ACTION_RES_DEALLOCATED);
     WOLFSENTRY_RETURN_OK;
@@ -995,7 +999,7 @@ static wolfsentry_errcode_t wolfsentry_route_new(
         WOLFSENTRY_ERROR_RETURN(SYS_RESOURCE_FAILED);
     ret = wolfsentry_route_init(parent_event, remote, local, flags, (int)config->config.route_private_data_size, new_size, *new);
     if (ret < 0) {
-        wolfsentry_route_free_1(WOLFSENTRY_CONTEXT_ARGS_OUT, config, *new);
+        wolfsentry_route_free_1(WOLFSENTRY_CONTEXT_ARGS_OUT, config->config.route_private_data_alignment, *new);
         *new = NULL;
     } else {
         if (parent_event != NULL) {
@@ -1054,7 +1058,7 @@ static wolfsentry_errcode_t wolfsentry_route_new_by_exports(
         WOLFSENTRY_ERROR_RETURN(SYS_RESOURCE_FAILED);
     ret = wolfsentry_route_init_by_exports(parent_event, route_exports, config->config.route_private_data_size, new_size, *new);
     if (ret < 0) {
-        wolfsentry_route_free_1(WOLFSENTRY_CONTEXT_ARGS_OUT, config, *new);
+        wolfsentry_route_free_1(WOLFSENTRY_CONTEXT_ARGS_OUT, config->config.route_private_data_alignment, *new);
         *new = NULL;
     } else {
         if (parent_event != NULL) {
@@ -1174,7 +1178,7 @@ WOLFSENTRY_LOCAL wolfsentry_errcode_t wolfsentry_route_clone(
 #ifdef WOLFSENTRY_THREADSAFE
                                     thread,
 #endif
-                                    config, *new_route);
+                                    config->config.route_private_data_alignment, *new_route);
             WOLFSENTRY_ERROR_RERETURN(ret);
         }
         WOLFSENTRY_REFCOUNT_INCREMENT((*new_route)->parent_event->header.refcount, ret);
@@ -1330,7 +1334,7 @@ static wolfsentry_errcode_t wolfsentry_route_insert_1(
 
     if (route_to_insert->flags & WOLFSENTRY_ROUTE_FLAG_SA_FAMILY_WILDCARD) {
         if ((route_table->last_af_wildcard_route == NULL) ||
-            (wolfsentry_route_key_cmp_1(route_to_insert, route_table->last_af_wildcard_route, 0 /* match_wildcards_p */, NULL /* inexact_matches */) < 0))
+            (wolfsentry_route_key_cmp_1(route_to_insert, route_table->last_af_wildcard_route, 0 /* match_wildcards_p */, NULL /* inexact_matches */) > 0))
         {
             route_table->last_af_wildcard_route = route_to_insert;
         }
@@ -1987,6 +1991,9 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_route_table_default_policy_set(
 {
     if (WOLFSENTRY_MASKOUT_BITS(default_policy, WOLFSENTRY_ROUTE_DEFAULT_POLICY_MASK) != WOLFSENTRY_ACTION_RES_NONE)
         WOLFSENTRY_ERROR_RETURN(INVALID_ARG);
+    if ((default_policy != WOLFSENTRY_ACTION_RES_NONE) &&
+        (! WOLFSENTRY_MASKIN_BITS(default_policy, WOLFSENTRY_ACTION_RES_ACCEPT | WOLFSENTRY_ACTION_RES_REJECT)))
+        WOLFSENTRY_ERROR_RETURN(INVALID_ARG);
     WOLFSENTRY_MUTEX_OR_RETURN();
     table->default_policy = default_policy;
     if (table == wolfsentry->routes)
@@ -2162,10 +2169,19 @@ static wolfsentry_errcode_t wolfsentry_route_delete_0(
         wolfsentry_route_update_flags_1(route, WOLFSENTRY_ROUTE_FLAG_NONE, WOLFSENTRY_ROUTE_FLAG_IN_TABLE, &flags_before, &flags_after);
     }
 
-    if ((ret = wolfsentry_table_ent_delete_1(WOLFSENTRY_CONTEXT_ARGS_OUT, &route->header)) < 0) {
-        wolfsentry_route_flags_t flags_before, flags_after;
-        wolfsentry_route_update_flags_1(route, WOLFSENTRY_ROUTE_FLAG_IN_TABLE, WOLFSENTRY_ROUTE_FLAG_NONE, &flags_before, &flags_after);
-        WOLFSENTRY_ERROR_RERETURN(ret);
+    /* snapshot linked-list neighbor before delete_1 nullifies prev/next. */
+    {
+        struct wolfsentry_route *prev_route = (struct wolfsentry_route *)route->header.prev;
+        if ((ret = wolfsentry_table_ent_delete_1(WOLFSENTRY_CONTEXT_ARGS_OUT, &route->header)) < 0) {
+            wolfsentry_route_flags_t flags_before, flags_after;
+            wolfsentry_route_update_flags_1(route, WOLFSENTRY_ROUTE_FLAG_IN_TABLE, WOLFSENTRY_ROUTE_FLAG_NONE, &flags_before, &flags_after);
+            WOLFSENTRY_ERROR_RERETURN(ret);
+        }
+        if (route_table->last_af_wildcard_route == route) {
+            while (prev_route && ! (prev_route->flags & WOLFSENTRY_ROUTE_FLAG_SA_FAMILY_WILDCARD))
+                prev_route = (struct wolfsentry_route *)prev_route->header.prev;
+            route_table->last_af_wildcard_route = prev_route;
+        }
     }
 
 #ifdef WOLFSENTRY_ADDR_BITMASK_MATCHING
@@ -2191,9 +2207,6 @@ static wolfsentry_errcode_t wolfsentry_route_delete_0(
             WOLFSENTRY_WARN("wolfsentry_action_list_dispatch for wolfsentry_route_delete_0 returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret));
     }
 
-    if (route_table->last_af_wildcard_route == route)
-        route_table->last_af_wildcard_route = (struct wolfsentry_route *)route->header.prev;
-
     {
         wolfsentry_priority_t effective_priority = route->parent_event ? route->parent_event->priority : 0;
         if (effective_priority == route_table->highest_priority_route_in_table) {
@@ -2490,7 +2503,9 @@ static wolfsentry_errcode_t wolfsentry_route_event_dispatch_0(
             (void)ret;
         }
 
-        if (! (current_rule_route_flags & WOLFSENTRY_ROUTE_FLAG_DONT_COUNT_CURRENT_CONNECTIONS)) {
+        if ((! (current_rule_route_flags & WOLFSENTRY_ROUTE_FLAG_DONT_COUNT_CURRENT_CONNECTIONS)) &&
+            (config->config.max_connection_count > 0))
+        {
             if (*action_results & WOLFSENTRY_ACTION_RES_CONNECT) {
                 if (rule_route->meta.connection_count >= config->config.max_connection_count) {
                     *action_results |= WOLFSENTRY_ACTION_RES_REJECT;
@@ -3904,7 +3919,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_route_format_address(
         WOLFSENTRY_RETURN_OK;
     }
 
-    if (sa_family == WOLFSENTRY_AF_LINK) {
+    if (sa_family == WOLFSENTRY_AF_LINK || sa_family == WOLFSENTRY_AF_LINK64) {
         unsigned int i;
         if ((addr_bits >> 3) * 3 > (size_t)*buflen)
             WOLFSENTRY_ERROR_RETURN(BUFFER_TOO_SMALL);
@@ -4431,7 +4446,7 @@ static wolfsentry_errcode_t wolfsentry_route_render_address(WOLFSENTRY_CONTEXT_A
         WOLFSENTRY_RETURN_OK;
     }
 
-    if (sa_family == WOLFSENTRY_AF_LINK) {
+    if (sa_family == WOLFSENTRY_AF_LINK || sa_family == WOLFSENTRY_AF_LINK64) {
         unsigned int i;
         for (i=0; i < (addr_bits >> 3); ++i) {
             if (fprintf(f, "%s%02x", i ? ":" : "", (unsigned int)addr[i]) < 0)