Fix Inverted Bit-Index and Shared Lock Leak on Event Lookup Failure#81
Merged
douzzer merged 5 commits intowolfSSL:masterfrom Apr 16, 2026
Merged
Conversation
…ndex in partial-byte subnet comparison and address masking
…ak when wolfsentry_event_get_reference fails in dispatch_by_route and dispatch_by_id
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
…init_by_exports (lines 903-904, 920-921) — swapped left_over_bits and (BITS_PER_BYTE - left_over_bits) in check/clear masks - HIGH-1 test: Added /25 subnet test via wolfsentry_route_insert_by_exports with a dirty low bit to validate masking through the exports path - MEDIUM-1: Added comment clarifying the route pointer remains valid after drop_reference because the table holds its own reference
douzzer
requested changes
Apr 15, 2026
Collaborator
douzzer
left a comment
douzzer
left a comment
There was a problem hiding this comment.
Good catches by Mr. Claude!
To get a clean run of make check-all, I needed the following tweaks:
diff --git a/tests/unittests.c b/tests/unittests.c
index 591068f..1817b60 100644
--- a/tests/unittests.c
+++ b/tests/unittests.c
@@ -2372,8 +2372,7 @@ static int test_static_routes(void) {
#ifdef WOLFSENTRY_THREADSAFE
/* if the shared lock leaked, this unlock would succeed. */
- WOLFSENTRY_EXIT_ON_SUCCESS(
- wolfsentry_context_unlock(WOLFSENTRY_CONTEXT_ARGS_OUT));
+ WOLFSENTRY_EXIT_ON_FALSE(wolfsentry->lock.state == WOLFSENTRY_LOCK_UNLOCKED);
#endif
/* likewise test that dispatch_by_id does not leak its shared lock
@@ -2391,8 +2390,7 @@ static int test_static_routes(void) {
#ifdef WOLFSENTRY_THREADSAFE
/* if the shared lock leaked, this unlock would succeed. */
- WOLFSENTRY_EXIT_ON_SUCCESS(
- wolfsentry_context_unlock(WOLFSENTRY_CONTEXT_ARGS_OUT));
+ WOLFSENTRY_EXIT_ON_FALSE(wolfsentry->lock.state == WOLFSENTRY_LOCK_UNLOCKED);
#endif
WOLFSENTRY_EXIT_ON_FAILURE(
@@ -2651,7 +2649,7 @@ static int test_static_routes(void) {
| WOLFSENTRY_ROUTE_FLAG_REMOTE_INTERFACE_WILDCARD;
/* 192.168.1.0/25 -- intentionally set a low bit that must be masked */
- memcpy(exp_remote_addr, "\xC0\xA8\x01\x01", 4);
+ memcpy(exp_remote_addr, "\xC0\xA8\x01\x01", 4); /* NOLINT(bugprone-not-null-terminated-result) */
exp_route.remote_address = exp_remote_addr;
exp_route.remote.addr_len = 25;
exp_route.remote.sa_port = 0;
douzzer
approved these changes
Apr 16, 2026
Collaborator
douzzer
left a comment
douzzer
left a comment
There was a problem hiding this comment.
LGTM. passes local make check-all
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
F-2454, F-2062