correct config, KV, protocol, and utility logic

Author: JeremiahM37

src/json/centijson_value.c

@@ -1968,6 +1968,7 @@ json_value_clone(WOLFSENTRY_CONTEXT_ARGS_IN_EX(struct wolfsentry_allocator *allo
                 if (ret2 < 0)
                     WOLFSENTRY_WARN("json_value_fini: %s\n", json_error_str(ret2));
             }
+            break;
         }
     }
 

src/json/load_config.c

@@ -26,6 +26,7 @@
 #define WOLFSENTRY_SOURCE_ID WOLFSENTRY_SOURCE_ID_JSON_LOAD_CONFIG_C
 
 #include <stdlib.h>
+#include <limits.h>
 
 #define MAX_IPV4_ADDR_BITS (sizeof(struct in_addr) * BITS_PER_BYTE)
 #define MAX_IPV6_ADDR_BITS (sizeof(struct in6_addr) * BITS_PER_BYTE)
@@ -384,12 +385,18 @@ static wolfsentry_errcode_t convert_wolfsentry_duration(struct wolfsentry_contex
 
     switch (*endptr) {
     case 'd':
+        if (conv > LONG_MAX / 24 || conv < LONG_MIN / 24)
+            WOLFSENTRY_ERROR_RETURN(CONFIG_INVALID_VALUE);
         conv *= 24;
         /* fallthrough */
     case 'h':
+        if (conv > LONG_MAX / 60 || conv < LONG_MIN / 60)
+            WOLFSENTRY_ERROR_RETURN(CONFIG_INVALID_VALUE);
         conv *= 60;
         /* fallthrough */
     case 'm':
+        if (conv > LONG_MAX / 60 || conv < LONG_MIN / 60)
+            WOLFSENTRY_ERROR_RETURN(CONFIG_INVALID_VALUE);
         conv *= 60;
         /* fallthrough */
     case 's':
@@ -1968,7 +1975,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_config_json_fini(
         struct wolfsentry_route_table *old_route_table, *new_route_table;
         if ((ret = wolfsentry_route_get_main_table(JPSP_WOLFSENTRY_ACTUAL_CONTEXT_ARGS_OUT, &old_route_table)) < 0)
             goto out;
-        if ((ret = wolfsentry_route_get_main_table(JPSP_WOLFSENTRY_ACTUAL_CONTEXT_ARGS_OUT, &new_route_table)) < 0)
+        if ((ret = wolfsentry_route_get_main_table(JPSP_WOLFSENTRY_CONTEXT_ARGS_OUT, &new_route_table)) < 0)
             goto out;
         if (wolfsentry_table_n_deletes((struct wolfsentry_table_header *)new_route_table)
             != wolfsentry_table_n_deletes((struct wolfsentry_table_header *)old_route_table))

src/kv.c

@@ -1054,7 +1054,7 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_user_value_get_json(
     struct wolfsentry_kv_pair_internal **user_value_record)
 {
     wolfsentry_errcode_t ret;
-    if ((ret = wolfsentry_kv_get_reference(WOLFSENTRY_CONTEXT_ARGS_OUT, wolfsentry->user_values, key, key_len, WOLFSENTRY_KV_STRING, user_value_record)) < 0)
+    if ((ret = wolfsentry_kv_get_reference(WOLFSENTRY_CONTEXT_ARGS_OUT, wolfsentry->user_values, key, key_len, WOLFSENTRY_KV_JSON, user_value_record)) < 0)
         WOLFSENTRY_ERROR_RERETURN(ret);
     *value = WOLFSENTRY_KV_V_JSON(&(*user_value_record)->kv);
     WOLFSENTRY_RETURN_OK;

src/lwip/packet_filter_glue.c

@@ -1098,10 +1098,10 @@ static err_t icmp6_filter_with_wolfsentry(
     else
         memset(&local.local.addr, 0, sizeof *laddr);
 
-    remote.remote.sa_proto = IPPROTO_ICMP;
+    remote.remote.sa_proto = IPPROTO_ICMPV6;
     remote.remote.sa_port = 0;
 
-    local.local.sa_proto = IPPROTO_ICMP;
+    local.local.sa_proto = IPPROTO_ICMPV6;
     local.local.sa_port = icmp6_type;
 
     if (event->netif)

src/routes.c

@@ -2366,6 +2366,9 @@ static wolfsentry_errcode_t wolfsentry_route_event_dispatch_0(
     wolfsentry_route_flags_t current_rule_route_flags;
     wolfsentry_errcode_t ret;
     wolfsentry_time_t now;
+    int penalty_triggered = 0;
+    wolfsentry_hitcount_t derog_snap;
+    wolfsentry_hitcount_t commend_snap;
 
     if (target_route == NULL)
         WOLFSENTRY_ERROR_RETURN(INVALID_ARG);
@@ -2553,20 +2556,25 @@ static wolfsentry_errcode_t wolfsentry_route_event_dispatch_0(
         }
     }
 
+    /* Snapshot atomic counts once so the guard and arithmetic operate on the
+     * same values (avoid TOCTOU between successive loads). */
+    derog_snap = WOLFSENTRY_ATOMIC_LOAD(rule_route->meta.derogatory_count);
+    commend_snap = WOLFSENTRY_ATOMIC_LOAD(rule_route->meta.commendable_count);
+    if (config->config.derogatory_threshold_for_penaltybox > 0) {
+        if (config->config.flags & WOLFSENTRY_EVENTCONFIG_FLAG_DEROGATORY_THRESHOLD_IGNORE_COMMENDABLE) {
+            penalty_triggered = (derog_snap >= config->config.derogatory_threshold_for_penaltybox);
+        } else {
+            penalty_triggered = (derog_snap >= commend_snap)
+                && ((derog_snap - commend_snap)
+                    >= config->config.derogatory_threshold_for_penaltybox);
+        }
+    }
+
     if (current_rule_route_flags & WOLFSENTRY_ROUTE_FLAG_PENALTYBOXED) {
         *action_results |= WOLFSENTRY_ACTION_RES_REJECT;
         ret = WOLFSENTRY_ERROR_ENCODE(OK);
         goto done;
-    } else if ((config->config.derogatory_threshold_for_penaltybox > 0)
-               && ((config->config.flags & WOLFSENTRY_EVENTCONFIG_FLAG_DEROGATORY_THRESHOLD_IGNORE_COMMENDABLE) ?
-                   (WOLFSENTRY_ATOMIC_LOAD(rule_route->meta.derogatory_count)
-                    >= config->config.derogatory_threshold_for_penaltybox)
-                   :
-                   ((WOLFSENTRY_ATOMIC_LOAD(rule_route->meta.derogatory_count)
-                     >= WOLFSENTRY_ATOMIC_LOAD(rule_route->meta.commendable_count))
-                    && ((wolfsentry_hitcount_t)(WOLFSENTRY_ATOMIC_LOAD(rule_route->meta.derogatory_count)
-                                                - WOLFSENTRY_ATOMIC_LOAD(rule_route->meta.commendable_count))
-                        >= config->config.derogatory_threshold_for_penaltybox))))
+    } else if (penalty_triggered)
     {
         wolfsentry_route_flags_t flags_before;
         WOLFSENTRY_WARN_ON_FAILURE(

src/wolfsentry_util.c

@@ -232,7 +232,7 @@ WOLFSENTRY_API const char *wolfsentry_errcode_error_string(wolfsentry_errcode_t
             return "unknown user defined error code";
     } else if (i >= WOLFSENTRY_SUCCESS_ID_USER_BASE) {
         if (user_defined_successes[i - WOLFSENTRY_SUCCESS_ID_USER_BASE])
-            return user_defined_errors[i - WOLFSENTRY_SUCCESS_ID_USER_BASE];
+            return user_defined_successes[i - WOLFSENTRY_SUCCESS_ID_USER_BASE];
         else
             return "unknown user defined success code";
     } else if (i >= 0)
@@ -634,7 +634,7 @@ static void *wolfsentry_builtin_malloc(
     WOLFSENTRY_CONTEXT_ARGS_THREAD_NOT_USED;
 #ifdef WOLFSENTRY_MALLOC_DEBUG
     {
-        ret = malloc(size);
+        void *ret = malloc(size);
         if (ret != NULL)
             WOLFSENTRY_ATOMIC_INCREMENT(n_mallocs, 1);
         WOLFSENTRY_RETURN_VALUE(ret);
@@ -989,9 +989,9 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_get_deadline_rel(WOLFSENTRY_CONTE
                 WOLFSENTRY_SUCCESS_RETURN(EXPIRED);
         } else {
             if (now >= deadline)
-                WOLFSENTRY_RETURN_OK;
-            else
                 WOLFSENTRY_SUCCESS_RETURN(EXPIRED);
+            else
+                WOLFSENTRY_RETURN_OK;
         }
     }
 }