Skip to content

Multiple fixes from Fenrir report#65

Open
danielinux wants to merge 15 commits intowolfSSL:masterfrom
danielinux:fenrir-fixes-2026-03-04
Open

Multiple fixes from Fenrir report#65
danielinux wants to merge 15 commits intowolfSSL:masterfrom
danielinux:fenrir-fixes-2026-03-04

Conversation

@danielinux
Copy link
Member

@danielinux danielinux commented Mar 4, 2026
edited
Loading

  • F/324 Prevent accepting datagrams from any source after UDP connected
  • F/329: TCP: double check ISNs in 3WHS before stepping into state ESTABLISHED
  • F/330: TCP: check in-window / correct seq on received RST (enforce RFC5961 behavior for RST handling)
  • F/325: Rejected as false positive, test added
  • F/391: TCP: Correctly resetting CB_READABLE flags in TCP_CLOSE_WAIT state
  • F/393: UDP connect: validate sin->sin_family and addrlen
  • F/331: Added a guard to skip TTL-exceeded generation on short packets
  • F/394: TCP SACK: use tcp_seq_lt instead of '<' to prevent overflows
  • F/326 DNS: Remove redundant snprintf
  • F/390: Remove RTO cancel/reset in tcp_recv
  • F/332: DNS minimum hdr size validation
  • F/392: DNS cosmetic changes

Copilot AI review requested due to automatic review settings March 4, 2026 14:09
@danielinux danielinux review requested due to automatic review settings March 4, 2026 14:13
Copilot AI review requested due to automatic review settings March 4, 2026 14:20
Copilot AI reviewed Mar 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses issues reported by Fenrir around socket “connection” semantics: ensuring UDP connected sockets only accept datagrams from the connected peer, and tightening TCP 3-way handshake validation before transitioning to TCP_ESTABLISHED.

Changes:

  • Fix UDP receive-side socket matching to enforce connected-peer source IP filtering.
  • Add additional TCP sequence/acknowledgement validation in SYN_SENT/SYN_RCVD, plus stricter RST handling.
  • Update and extend unit tests to cover the new UDP/TCP behaviors.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
src/wolfip.c Updates UDP demux rules for connected sockets; adds TCP handshake ACK/SEQ checks and RST sequence validation logic.
src/test/unit/unit.c Adjusts existing tests for new handshake expectations and adds new tests for invalid SYN-ACK ACK rejection, RST handling, and UDP connected wrong-source rejection.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI review requested due to automatic review settings March 4, 2026 14:43
Copilot AI reviewed Mar 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI review requested due to automatic review settings March 4, 2026 15:06
Copilot AI reviewed Mar 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI review requested due to automatic review settings March 4, 2026 15:20
Copilot AI reviewed Mar 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@danielinux danielinux requested a review from philljj March 4, 2026 15:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@philljj philljj Awaiting requested review from philljj

At least 1 approving review is required to merge this pull request.

Assignees

@philljj philljj

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@danielinux @philljj