Merge pull request #10098 from douzzer/20260328-test_wolfSSL_dtls_fragments-race-mitigation

JacobBarthelmeh · web-flow · commit 348d75b749ee · 2026-03-30T10:29:31.000-06:00
20260328-test_wolfSSL_dtls_fragments-race-mitigation
diff --git a/tests/api.c b/tests/api.c
@@ -24655,19 +24655,33 @@ static int test_wolfSSL_dtls_fragments(void)
 
         test_wolfSSL_client_server_nofail(&func_cb_client, &func_cb_server);
 
-        ExpectFalse(func_cb_client.return_code);
-        ExpectFalse(func_cb_server.return_code);
-
-        /* The socket should be closed by the server resulting in a
-         * socket error, fatal error or reading a close notify alert */
-        if (func_cb_client.last_err != WC_NO_ERR_TRACE(SOCKET_ERROR_E) &&
-                func_cb_client.last_err != WOLFSSL_ERROR_ZERO_RETURN &&
-                func_cb_client.last_err != WC_NO_ERR_TRACE(FATAL_ERROR)) {
-            ExpectIntEQ(func_cb_client.last_err, WC_NO_ERR_TRACE(SOCKET_ERROR_E));
+        /* If the client failed, check that the error it encountered was from
+         * the server aborting, resulting in a socket error, fatal error or
+         * reading a close notify alert.
+         *
+         * Under slow execution (e.g. valgrind + noasm), the server may
+         * still be processing fragments when the client completes its
+         * handshake and write, so the client may succeed -- in that
+         * case return_code is TEST_SUCCESS and these checks don't apply.
+         */
+        if (func_cb_client.return_code == TEST_FAIL) {
+            if (func_cb_client.last_err != WC_NO_ERR_TRACE(SOCKET_ERROR_E) &&
+                    func_cb_client.last_err != WOLFSSL_ERROR_ZERO_RETURN &&
+                    func_cb_client.last_err != WC_NO_ERR_TRACE(FATAL_ERROR)) {
+                ExpectIntEQ(func_cb_client.last_err, WC_NO_ERR_TRACE(SOCKET_ERROR_E));
+            }
         }
         /* Check the server returned an error indicating the msg buffer
-         * was full */
-        ExpectIntEQ(func_cb_server.last_err, WC_NO_ERR_TRACE(DTLS_TOO_MANY_FRAGMENTS_E));
+         * was full.
+         *
+         * Under slow execution (e.g. valgrind + noasm), the real handshake
+         * from wolfSSL_negotiate() may complete before enough spam fragments
+         * accumulate to trigger DTLS_TOO_MANY_FRAGMENTS_E. Accept both
+         * outcomes: server hit the fragment limit, or completed normally.
+         */
+        if (func_cb_server.return_code == TEST_FAIL) {
+            ExpectIntEQ(func_cb_server.last_err, WC_NO_ERR_TRACE(DTLS_TOO_MANY_FRAGMENTS_E));
+        }
 
         if (EXPECT_FAIL())
             break;
