More various fixes (F-*)#109
Merged
danielinux merged 4 commits intowolfSSL:masterfrom May 7, 2026
Merged
Conversation
Contributor
gasbytes
commented
May 6, 2026
gasbytes
commented
- Add four test_icmp_input_dest_unreach_port_unreachable_mismatched_orig_{src_ip,dst_ip,src_port,dst_port}_ignoredtests pinning icmp_try_deliver_tcp_error's all-must-match 4-tuple policy at src/wolfip.c:2469/2471 so a partial-match ICMP error can no longer pass the filter and tear down a SYN_SENT socket via PORT_UNREACH, with each test flipping exactly one component so a || -> && (or outright deletion) mutation at either filter line is caught.
- Add wolfIP_if_for_local_ip dst check to icmp_input's ECHO_REQUEST path so wolfIP no longer reflects echo replies for non-local destinations per RFC 1122 section 3.2.2.6, with test_regression_icmp_echo_request_non_local_dst_no_reply pinning the contract and the six existing echo tests updated to wolfIP_ipconfig_set so they still reach their original paths.
- Tighten ip_recv's forwarding TTL<=1 precondition to len >= ETH_HEADER_LEN + ip_hlen + 8 so wolfIP_send_ttl_exceeded can no longer over-read past an under-sized options-bearing frame, with test_regression_forward_ttl_exceeded_short_len_with_options_no_send pinning the contract.
- Add a 127/8 source filter alongside the existing 127/8 destination drop in ip_recv's non-loopback-ingress block so an off-link attacker can no longer forge ip.src=127.0.0.1 to impersonate locally-originated traffic per RFC 5735 §4, with test_regression_loopback_source_dropped_on_non_loopback_iface pinning the contract.
…op in ip_recv's non-loopback-ingress block so an off-link attacker can no longer forge ip.src=127.0.0.1 to impersonate locally-originated traffic per RFC 5735 §4, with test_regression_loopback_source_dropped_on_non_loopback_iface pinning the contract.
…_LEN + ip_hlen + 8 so wolfIP_send_ttl_exceeded can no longer over-read past an under-sized options-bearing frame, with test_regression_forward_ttl_exceeded_short_len_with_options_no_send pinning the contract.
…h so wolfIP no longer reflects echo replies for non-local destinations per RFC 1122 section 3.2.2.6, with test_regression_icmp_echo_request_non_local_dst_no_reply pinning the contract and the six existing echo tests updated to wolfIP_ipconfig_set so they still reach their original paths.
…g_{src_ip,dst_ip,src_port,dst_port}_ignoredtests pinning icmp_try_deliver_tcp_error's
all-must-match 4-tuple policy at src/wolfip.c:2469/2471 so a partial-match ICMP error can no longer pass the filter and tear down a SYN_SENT socket via
PORT_UNREACH, with each test flipping exactly one component so a || -> && (or outright deletion) mutation at either filter line is caught.
danielinux
approved these changes
May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.