Harden fail-closed handling, fix mutex leaks, and add mutation-verified tests

src/events.c

@@ -363,7 +363,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_event_update_config(WOLFSENTRY_CO
     WOLFSENTRY_MUTEX_OR_RETURN();
 
     ret = wolfsentry_event_get_1(WOLFSENTRY_CONTEXT_ARGS_OUT, label, label_len, &event);
-    WOLFSENTRY_RERETURN_IF_ERROR(ret);
+    WOLFSENTRY_UNLOCK_AND_RERETURN_IF_ERROR(ret);
 
     if (event->config == NULL) {
         if ((event->config = (struct wolfsentry_eventconfig_internal *)WOLFSENTRY_MALLOC(sizeof *event->config)) == NULL)
@@ -618,7 +618,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_event_set_aux_event(
     WOLFSENTRY_MUTEX_OR_RETURN();
 
     ret = wolfsentry_event_get_reference(WOLFSENTRY_CONTEXT_ARGS_OUT, event_label, event_label_len, &event);
-    WOLFSENTRY_RERETURN_IF_ERROR(ret);
+    WOLFSENTRY_UNLOCK_AND_RERETURN_IF_ERROR(ret);
     if (WOLFSENTRY_CHECK_BITS(event->flags, WOLFSENTRY_EVENT_FLAG_IS_SUBEVENT)) {
         ret = WOLFSENTRY_ERROR_ENCODE(INCOMPATIBLE_STATE);
         goto out;

src/json/load_config.c

@@ -876,6 +876,8 @@ static wolfsentry_errcode_t handle_route_endpoint_clause(struct wolfsentry_json_
     }
 #endif
     else if (! strcmp(jps->cur_keyname, "prefix-bits")) {
+        wolfsentry_addr_bits_t max_bits;
+        wolfsentry_errcode_t ret;
         if (sa->sa_family == WOLFSENTRY_AF_UNSPEC)
             WOLFSENTRY_ERROR_RETURN(CONFIG_OUT_OF_SEQUENCE);
 #ifdef WOLFSENTRY_ADDR_BITMASK_MATCHING
@@ -888,7 +890,16 @@ static wolfsentry_errcode_t handle_route_endpoint_clause(struct wolfsentry_json_
             WOLFSENTRY_ERROR_RETURN(CONFIG_MISPLACED_KEY);
         }
 #endif
-        WOLFSENTRY_ERROR_RERETURN(convert_uint16(type, data, data_size, &sa->addr_len));
+        ret = convert_uint16(type, data, data_size, &sa->addr_len);
+        WOLFSENTRY_RERETURN_IF_ERROR(ret);
+        ret = wolfsentry_addr_family_max_addr_bits(
+            JPS_WOLFSENTRY_CONTEXT_ARGS_OUT,
+            sa->sa_family,
+            &max_bits);
+        WOLFSENTRY_RERETURN_IF_ERROR(ret);
+        if (sa->addr_len > max_bits)
+            WOLFSENTRY_ERROR_RETURN(NUMERIC_ARG_TOO_BIG);
+        WOLFSENTRY_RETURN_OK;
     }
     else if (! strcmp(jps->cur_keyname, "interface")) {
         WOLFSENTRY_CLEAR_BITS(jps->o_u_c.route.flags,

src/lwip/packet_filter_glue.c

@@ -101,7 +101,7 @@ static err_t ethernet_filter_with_wolfsentry(
 #endif
 
     if (wolfsentry == NULL)
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
 
     switch(event->reason) {
     case FILT_RECEIVING:
@@ -132,7 +132,7 @@ static err_t ethernet_filter_with_wolfsentry(
     case FILT_LISTENING:
     case FILT_STOP_LISTENING:
         /* can't happen. */
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
     }
 
     remote.remote.sa_family = WOLFSENTRY_AF_LINK;
@@ -182,7 +182,7 @@ static err_t ethernet_filter_with_wolfsentry(
 
     WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
 
-    if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
+    if (WOLFSENTRY_IS_FAILURE(ws_ret) || WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
         ret = ERR_ABRT;
     else
         ret = ERR_OK;
@@ -238,7 +238,7 @@ static err_t ip4_filter_with_wolfsentry(
 #endif
 
     if (wolfsentry == NULL)
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
 
     switch(event->reason) {
     case FILT_RECEIVING:
@@ -272,7 +272,7 @@ static err_t ip4_filter_with_wolfsentry(
     case FILT_LISTENING:
     case FILT_STOP_LISTENING:
         /* can't happen. */
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
     }
 
     remote.remote.sa_family = WOLFSENTRY_AF_INET;
@@ -322,7 +322,7 @@ static err_t ip4_filter_with_wolfsentry(
 
     WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
 
-    if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
+    if (WOLFSENTRY_IS_FAILURE(ws_ret) || WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
         ret = ERR_ABRT;
     else
         ret = ERR_OK;
@@ -373,7 +373,7 @@ static err_t ip6_filter_with_wolfsentry(
 #endif
 
     if (wolfsentry == NULL)
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
 
     switch(event->reason) {
     case FILT_RECEIVING:
@@ -407,7 +407,7 @@ static err_t ip6_filter_with_wolfsentry(
     case FILT_LISTENING:
     case FILT_STOP_LISTENING:
         /* can't happen. */
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
     }
 
     remote.remote.sa_family = WOLFSENTRY_AF_INET6;
@@ -457,7 +457,7 @@ static err_t ip6_filter_with_wolfsentry(
 
     WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
 
-    if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
+    if (WOLFSENTRY_IS_FAILURE(ws_ret) || WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
         ret = ERR_ABRT;
     else
         ret = ERR_OK;
@@ -511,7 +511,7 @@ static err_t tcp_filter_with_wolfsentry(
 #endif
 
     if (wolfsentry == NULL)
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
 
     switch(event->reason) {
     case FILT_ACCEPTING:
@@ -589,7 +589,7 @@ static err_t tcp_filter_with_wolfsentry(
     case FILT_DISSOCIATE:
     case FILT_ADDR_UNREACHABLE:
         /* can't happen. */
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
     }
 
 #if LWIP_IPV6
@@ -658,10 +658,10 @@ static err_t tcp_filter_with_wolfsentry(
 
     WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
 
-    if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
-        ret = ERR_RST;
-    else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
+    if (WOLFSENTRY_IS_FAILURE(ws_ret) || WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
         ret = ERR_ABRT;
+    else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
+        ret = ERR_RST;
     else
         ret = ERR_OK;
 
@@ -723,7 +723,7 @@ static err_t udp_filter_with_wolfsentry(
 #endif
 
     if (wolfsentry == NULL)
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
 
     switch(event->reason) {
     case FILT_BINDING:
@@ -778,7 +778,7 @@ static err_t udp_filter_with_wolfsentry(
     case FILT_ADDR_UNREACHABLE:
     case FILT_CLOSE_WAIT:
         /* can't happen. */
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
     }
 
 #if LWIP_IPV6
@@ -847,10 +847,10 @@ static err_t udp_filter_with_wolfsentry(
 
     WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
 
-    if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
-        ret = ERR_RST;
-    else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
+    if (WOLFSENTRY_IS_FAILURE(ws_ret) || WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
         ret = ERR_ABRT;
+    else if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_PORT_RESET))
+        ret = ERR_RST;
     else
         ret = ERR_OK;
 
@@ -910,7 +910,7 @@ static err_t icmp4_filter_with_wolfsentry(
 #endif
 
     if (wolfsentry == NULL)
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
 
     switch(event->reason) {
     case FILT_RECEIVING:
@@ -945,7 +945,7 @@ static err_t icmp4_filter_with_wolfsentry(
     case FILT_STOP_LISTENING:
     case FILT_CLOSE_WAIT:
         /* can't happen. */
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
     }
 
     remote.remote.sa_family = WOLFSENTRY_AF_INET;
@@ -995,7 +995,7 @@ static err_t icmp4_filter_with_wolfsentry(
 
     WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
 
-    if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
+    if (WOLFSENTRY_IS_FAILURE(ws_ret) || WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
         ret = ERR_ABRT;
     else
         ret = ERR_OK;
@@ -1046,7 +1046,7 @@ static err_t icmp6_filter_with_wolfsentry(
 #endif
 
     if (wolfsentry == NULL)
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
 
     switch(event->reason) {
     case FILT_RECEIVING:
@@ -1081,7 +1081,7 @@ static err_t icmp6_filter_with_wolfsentry(
     case FILT_STOP_LISTENING:
     case FILT_CLOSE_WAIT:
         /* can't happen. */
-        WOLFSENTRY_RETURN_VALUE(ERR_OK);
+        WOLFSENTRY_RETURN_VALUE(ERR_ABRT);
     }
 
     remote.remote.sa_family = WOLFSENTRY_AF_INET6;
@@ -1131,7 +1131,7 @@ static err_t icmp6_filter_with_wolfsentry(
 
     WOLFSENTRY_WARN_ON_FAILURE(ws_ret);
 
-    if (WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
+    if (WOLFSENTRY_IS_FAILURE(ws_ret) || WOLFSENTRY_MASKIN_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
         ret = ERR_ABRT;
     else
         ret = ERR_OK;

src/wolfip/packet_filter_glue.c

@@ -141,7 +141,7 @@ static int wolfip_dispatch_event(
     WOLFSENTRY_THREAD_HEADER_DECLS
 
     if (wolfsentry == NULL)
-        return 0;
+        return -WOLFIP_EACCES;
 
     if (WOLFSENTRY_THREAD_HEADER_INIT(WOLFSENTRY_THREAD_FLAG_NONE) < 0)
         return -WOLFIP_EACCES;
@@ -163,7 +163,7 @@ static int wolfip_dispatch_event(
     if (WOLFSENTRY_THREAD_TAILER(WOLFSENTRY_THREAD_FLAG_NONE) < 0)
         return -WOLFIP_EACCES;
 
-    if (wolfip_action_rejects(*action_results))
+    if (WOLFSENTRY_IS_FAILURE(ws_ret) || wolfip_action_rejects(*action_results))
         return -WOLFIP_EACCES;
 
     return 0;
@@ -209,7 +209,7 @@ static int wolfip_filter_ethernet(
         action_results = WOLFSENTRY_ACTION_RES_SOCK_ERROR;
         break;
     default:
-        return 0;
+        return -WOLFIP_EACCES;
     }
 
     wolfip_set_link_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -261,7 +261,7 @@ static int wolfip_filter_ipv4(
         action_results = WOLFSENTRY_ACTION_RES_SOCK_ERROR;
         break;
     default:
-        return 0;
+        return -WOLFIP_EACCES;
     }
 
     wolfip_set_ipv4_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -360,7 +360,7 @@ static int wolfip_filter_tcp(
         action_results = WOLFSENTRY_ACTION_RES_DEROGATORY;
         break;
     default:
-        return 0;
+        return -WOLFIP_EACCES;
     }
 
     wolfip_set_ipv4_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -442,7 +442,7 @@ static int wolfip_filter_udp(
             WOLFSENTRY_ACTION_RES_EXCLUDE_REJECT_ROUTES;
         break;
     default:
-        return 0;
+        return -WOLFIP_EACCES;
     }
 
     wolfip_set_ipv4_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -504,7 +504,7 @@ static int wolfip_filter_icmp(
         action_results = WOLFSENTRY_ACTION_RES_SOCK_ERROR;
         break;
     default:
-        return 0;
+        return -WOLFIP_EACCES;
     }
 
     wolfip_set_ipv4_sockaddrs(&remote.remote, &local.local, event, outbound);
@@ -518,8 +518,10 @@ static int wolfip_filter_with_wolfsentry(void *arg, const struct wolfIP_filter_e
 {
     struct wolfsentry_context *wolfsentry = (struct wolfsentry_context *)arg;
 
-    if ((wolfsentry == NULL) || (event == NULL))
-        return 0;
+    if (wolfsentry == NULL)
+        return -WOLFIP_EACCES;
+    if (event == NULL)
+        return -WOLFIP_EACCES;
 
     switch (event->meta.ip_proto) {
     case WOLFIP_FILTER_PROTO_ETH:
@@ -533,7 +535,7 @@ static int wolfip_filter_with_wolfsentry(void *arg, const struct wolfIP_filter_e
     case WOLFIP_FILTER_PROTO_ICMP:
         return wolfip_filter_icmp(wolfsentry, event);
     default:
-        return 0;
+        return -WOLFIP_EACCES;
     }
 }
 

src/wolfsentry_util.c

@@ -3606,6 +3606,10 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_eventconfig_check(
         WOLFSENTRY_ERROR_RETURN(INVALID_ARG);
     if (config->derogatory_threshold_for_penaltybox > MAX_UINT_OF(instance_of_field(struct wolfsentry_route, meta.derogatory_count)))
         WOLFSENTRY_ERROR_RETURN(INVALID_ARG);
+    if (config->route_flags_to_add_on_insert & WOLFSENTRY_ROUTE_FLAG_PENALTYBOXED)
+        WOLFSENTRY_ERROR_RETURN(INVALID_ARG);
+    if (config->route_flags_to_clear_on_insert & WOLFSENTRY_ROUTE_FLAG_PENALTYBOXED)
+        WOLFSENTRY_ERROR_RETURN(INVALID_ARG);
     ret = wolfsentry_route_check_flags_sensical(config->route_flags_to_add_on_insert);
     WOLFSENTRY_RERETURN_IF_ERROR(ret);