CI Workflows Added

    Codespell workflow (.github/workflows/codespell.yml) — automated spell checking on push/PR with a project-specific ignore list for common technical abbreviations (e.g., inh, rcv, ser).
    Multi-compiler workflow (.github/workflows/multi-compiler.yml) — builds and runs unit tests for wolfIP against gcc-11/12/13 and clang-14/15/17 on Ubuntu.
    Sanitizer workflow (.github/workflows/sanitizers.yml) — runs unit tests and standalone TTL tests under ASan, UBSan, and LeakSan to ensure memory safety and catch undefined behavior.
    Build System Improvements
    Makefile updates — added explicit targets for asan, ubsan, and leaksan with the necessary compiler and linker flags for automated testing.
    Bug Fixes
    Format Specifier Correction — updated src/port/posix/bsd_socket.c to use the correct %d specifier for getpid() in debug logs.

Author: aidangarske

.github/workflows/codespell.yml

@@ -0,0 +1,26 @@
+name: Codespell
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  codespell:
+    name: Check spelling
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout wolfIP
+        uses: actions/checkout@v4
+
+      - name: Run codespell
+        uses: codespell-project/actions-codespell@v2
+        with:
+          skip: .git,./IDE,*.der,*.pem
+          ignore_words_list: inh,inout,keypair,nd,parm,rcv,ser,tha,HSI,TE,UE

.github/workflows/multi-compiler.yml

@@ -0,0 +1,57 @@
+name: Multiple Compilers
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  compiler_test:
+    name: ${{ matrix.cc }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - cc: gcc-11
+          - cc: gcc-12
+          - cc: gcc-13
+          - cc: clang-14
+          - cc: clang-15
+          - cc: clang-17
+
+    steps:
+      - name: Install compiler
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ${{ matrix.cc }}
+
+      - name: Checkout wolfIP
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get install -y libwolfssl-dev check
+          sudo modprobe tun
+
+      - name: Build wolfIP with ${{ matrix.cc }}
+        run: |
+          mkdir -p build/port
+          make CC=${{ matrix.cc }}
+
+      - name: Build unit tests
+        run: make unit CC=${{ matrix.cc }}
+
+      - name: Run unit tests
+        run: ./build/test/unit
+
+      - name: Run standalone TTL expired test
+        run: ./build/test-ttl-expired

.github/workflows/sanitizers.yml

@@ -0,0 +1,56 @@
+name: Sanitizer Tests
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  sanitizer_test:
+    name: ${{ matrix.name }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: "ASan"
+            target: "asan"
+          - name: "UBSan"
+            target: "ubsan"
+          - name: "LeakSan"
+            target: "leaksan"
+
+    steps:
+      - name: Workaround high-entropy ASLR
+        run: sudo sysctl vm.mmap_rnd_bits=28
+
+      - name: Checkout wolfIP
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libwolfssl-dev check
+          sudo modprobe tun
+
+      - name: Build wolfIP with ${{ matrix.name }}
+        run: |
+          mkdir -p build/port
+          make ${{ matrix.target }}
+
+      - name: Build unit tests
+        run: make unit
+
+      - name: Run unit tests
+        run: ./build/test/unit
+
+      - name: Run standalone TTL expired test
+        run: ./build/test-ttl-expired

Makefile

@@ -186,6 +186,14 @@ asan: $(EXE) $(LIB)
 asan:CFLAGS+=-fsanitize=address
 asan:LDFLAGS+=-static-libasan
 
+ubsan: $(EXE) $(LIB)
+ubsan:CFLAGS+=-fsanitize=undefined -fno-sanitize-recover=all
+ubsan:LDFLAGS+=-fsanitize=undefined
+
+leaksan: $(EXE) $(LIB)
+leaksan:CFLAGS+=-fsanitize=leak
+leaksan:LDFLAGS+=-fsanitize=leak
+
 ESP_CFLAGS = \
     -DWOLFIP_ESP  -DWOLFSSL_WOLFIP \
     -DDEBUG_IP -DDEBUG_UDP -DDEBUG_ESP

src/port/posix/bsd_socket.c

@@ -1655,7 +1655,8 @@ void __attribute__((constructor)) init_wolfip_posix() {
     if (!wolfip_mask_str || wolfip_mask_str[0] == '\0') {
         wolfip_mask_str = "255.255.255.0";
     }
-    fprintf(stderr, "wolfIP: Serving process PID=%hu, TID=%x\n", getpid(), (unsigned short)pthread_self());
+    fprintf(stderr, "wolfIP: Serving process PID=%d, TID=%x\n", getpid(),
+        (unsigned short)pthread_self());
     inet_aton(host_stack_ip_str, &host_stack_ip);
     swap_socketcall(socket, "socket");
     swap_socketcall(bind, "bind");

src/wolfesp.c

@@ -910,7 +910,7 @@ esp_aes_rfc4106_enc(const wolfIP_esp_sa * esp_sa, uint8_t * esp_data,
 #endif /*WOLFSSL_AESGCM_STREAM */
 
 /**
- * In rfc4543(gcm(aes)) the AAD consists ofthe SPI, Sequence Number,
+ * In rfc4543(gcm(aes)) the AAD consists of the SPI, Sequence Number,
  * and ESP Payload, and the AES-GCM plaintext is zero-length, while in
  * rfc4106(gcm(aes)) the AAD consists only of the SPI and Sequence Number,
  * and the AES-GCM plaintext consists of the ESP Payload.