Skip to content

More various fixes (F-*)#107

Open
gasbytes wants to merge 10 commits intowolfSSL:masterfrom
gasbytes:2026-04-26-findings-fixes
Open

More various fixes (F-*)#107
gasbytes wants to merge 10 commits intowolfSSL:masterfrom
gasbytes:2026-04-26-findings-fixes

Conversation

@gasbytes
Copy link
Copy Markdown
Contributor

@gasbytes gasbytes commented Apr 30, 2026

  • Guard wolfIP_sock_socket against a NULL stack pointer to prevent segfaults in tcp_new_socket/udp_new_socket/icmp_new_socket/raw_new_socket/packet_new_socket (1037af7).
  • Add martian + strict-RPF source filtering to ip_recv's forwarding relay path, dropping spoofed loopback, link-local, and wrong-interface sources before wolfIP_forward_interface (2d6edbb).
  • Replace signed-int shift reassembly in dns_callback's A-record path with a safe get_be32 helper to avoid ISO C11 6.5.7p4 UB on high-bit top octets (b203126).
  • Add a udp.len <= ip.len - IP_HEADER_LEN guard in udp_try_recv so L2-padded frames can no longer leak post-IP bytes through recvfrom (95bc67b).
  • Add a regression test pinning the IGMP checksum guard in igmp_input (73fc1b1).
  • Reject sub-ETH_HEADER_LEN buffers at the top of wolfIP_recv_on's ethernet branch to prevent OOB reads in the filter callback and eth->type/eth->dst comparisons (671d5ad).
  • Add a regression test pinning RFC 9293 §3.10.7.3 SND.UNA < SEG.ACK <= SND.NXT bounds on the SYN_SENT RST+ACK path in tcp_input (60f7c31).
  • Gate request-side arp_store_neighbor on a matching arp_pending_match_and_clear so unsolicited ARP requests can no longer poison the neighbor cache and lock out legitimate replies (7d92e8b).
  • Add a tcp_time_wait branch in tcp_input that re-ACKs non-RST/SYN matched segments, per RFC 9293 §3.10.7.4, so retransmitted peer FINs after a lost final ACK aren't silently dropped (b700877).

gasbytes added 9 commits April 30, 2026 12:14
@gasbytes
add a tcp_time_wait branch in tcp_input that re-sends an ack on any
b700877 
non-rst/syn matched segment so retransmitted peer FINSs caused by a
lost final ack are acknowledged (per rereference from 9293 section
3.10.7.4) instead of silently dropped.
@gasbytes
Gate request-side arp_store_neighbor in arp_recv on a matching arp_pe…
7d92e8b 
…nding_match_and_clear so unsolicited ARP requests can no longer fill the neighbor cache and lock out legitimate replies, with test_arp_request_flood_does_not_lock_out_legit_reply as regression test.

Updated three pre-existing tests to model the now-required solicited-learn path.
@gasbytes
Add test_syn_sent_rst_ack_seg_ack_bounds to pin RFC 9293 section 3.10…
60f7c31 
….7.3

SND.UNA < SEG.ACK <= SND.NXT on the SYN_SENT RST+ACK path so deletion of the
upper-bound clause and < <-> <= boundary mutations on either bound in tcp_input no
longer slip past CI.
@gasbytes
Reject buffers shorter than ETH_HEADER_LEN at the top of wolfIP_recv_…
671d5ad 
…on's

ethernet branch so the eth filter callback and the eth->type/eth->dst comparisons
can no longer read past the end of a runt caller-supplied buffer, with
test_wolfip_recv_ex_runt_eth_frame_drops_before_filter pinning the contract.
@gasbytes
add test_multicast_igmp_query_bad_checksum_dropped to pin the IGMP ch…
73fc1b1 
…ecksum

guard in igmp_input so deletion of the rejection branch can no longer slip past CI.
@gasbytes
Add a udp.len <= ip.len - IP_HEADER_LEN guard in udp_try_recv so an L…
95bc67b 
…2-padded

frame whose UDP length overruns its IP packet's declared length can no longer
leak post-IP bytes through recvfrom (per RFC 768 / RFC 791),
with test_regression_udp_len_exceeds_ip_len_dropped pinning the contract.
@gasbytes
Replace the signed-int (... & 0xFF) << 24 reassembly in dns_callback'…
b203126 
…s A-record

path with the safe memcpy+ee32 get_be32 helper (hoisted out of the
IP_MULTICAST gate so it is unconditionally available) so a high-bit top
octet (>= 0x80) can no longer trigger ISO C11 6.5.7p4 undefined behavior
on the int shift, with test_regression_dns_callback_high_bit_octet_ip_no_ub pinning
the contract under -fsanitize=undefined.
@gasbytes
Add a martian + strict-RPF source filter to ip_recv's WOLFIP_ENABLE_F…
2d6edbb 
…ORWARDING

relay path so packets sourced from 127.0.0.0/8 on a non-loopback ingress,
169.254.0.0/16 link-local, or any locally-configured subnet on the wrong
interface are dropped before wolfIP_forward_interface, with
test_regression_forwarding_rpf_drops_spoofed_source pinning the contract.
@gasbytes
Add an if (!s) return -WOLFIP_EINVAL; guard to wolfIP_sock_socket so …
1037af7 
…a NULL

stack pointer no longer segfaults inside
tcp_new_socket/udp_new_socket/icmp_new_socket/raw_new_socket/packet_new_socket,
with test_regression_sock_socket_null_wolfip_returns_einval pinning the contract.
@gasbytes gasbytes self-assigned this Apr 30, 2026
@gasbytes
move WOLFIP_LOOPBACK_IP/WOLFIP_LOOPBACK_MASK outside of the loopback …
ebeca1d 
…gate, since the forwarding rpf code uses them uncoditionally now
@gasbytes gasbytes requested a review from danielinux April 30, 2026 10:51
@gasbytes gasbytes assigned danielinux and unassigned gasbytes Apr 30, 2026
@gasbytes gasbytes marked this pull request as ready for review April 30, 2026 10:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielinux danielinux Awaiting requested review from danielinux

At least 1 approving review is required to merge this pull request.

Assignees

@danielinux danielinux

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gasbytes @danielinux