Build with -Wstrict-overflow=5 and fix revealed warnings.

Some of these are actual bugs, but none are security-sensitive.

Makefile

@@ -3,7 +3,7 @@ NDHC_OBJS = $(NDHC_SRCS:.c=.o)
 NDHC_DEP = $(NDHC_SRCS:.c=.d)
 INCL = -I.
 
-CFLAGS = -MMD -O2 -s -std=gnu99 -pedantic -Wall -Wextra -Wimplicit-fallthrough=0 -Wformat=2 -Wformat-nonliteral -Wformat-security -Wshadow -Wpointer-arith -Wmissing-prototypes -Wunused-const-variable=0 -Wcast-qual -Wsign-conversion -D_GNU_SOURCE -Wno-discarded-qualifiers
+CFLAGS = -MMD -O2 -s -std=gnu99 -pedantic -Wall -Wextra -Wimplicit-fallthrough=0 -Wformat=2 -Wformat-nonliteral -Wformat-security -Wshadow -Wpointer-arith -Wmissing-prototypes -Wunused-const-variable=0 -Wcast-qual -Wsign-conversion -D_GNU_SOURCE -Wno-discarded-qualifiers -Wstrict-overflow=5
 CPPFLAGS += $(INCL)
 
 all: ragel ndhc

arp.c

@@ -27,10 +27,10 @@
 #define ARP_MAX_TRIES 3
 
 // From RFC5227
-int arp_probe_wait = 1000;         // initial random delay (ms)
-int arp_probe_num = 3;             // number of probe packets
-int arp_probe_min = 1000;          // minimum delay until repeated probe (ms)
-int arp_probe_max = 2000;          // maximum delay until repeated probe (ms)
+unsigned arp_probe_wait = 1000;         // initial random delay (ms)
+unsigned arp_probe_num = 3;        // number of probe packets
+unsigned arp_probe_min = 1000;          // minimum delay until repeated probe (ms)
+unsigned arp_probe_max = 2000;          // maximum delay until repeated probe (ms)
 #define ANNOUNCE_WAIT 2000         // delay before announcing
 #define ANNOUNCE_NUM 2             // number of Announcement packets
 #define ANNOUNCE_INTERVAL 2000     // time between Announcement packets
@@ -368,12 +368,12 @@ static int arp_is_query_reply(struct arpMsg *am)
     return 1;
 }
 
-static int arp_gen_probe_wait(struct client_state_t *cs)
+static unsigned arp_gen_probe_wait(struct client_state_t *cs)
 {
-    int range = arp_probe_max - arp_probe_min;
+    unsigned range = arp_probe_max - arp_probe_min;
     if (range < 1000) range = 1000;
     // This is not a uniform distribution but it doesn't matter here.
-    return arp_probe_min + (int)(nk_random_u32(&cs->rnd_state) % (unsigned)range);
+    return arp_probe_min + nk_random_u32(&cs->rnd_state) % range;
 }
 
 int arp_defense_timeout(struct client_state_t *cs, long long nowts)
@@ -477,7 +477,7 @@ int arp_gw_query_timeout(struct client_state_t *cs, long long nowts)
 
 int arp_collision_timeout(struct client_state_t *cs, long long nowts)
 {
-    if (nowts >= garp.arp_check_start_ts + ANNOUNCE_WAIT ||
+    if (nowts - garp.arp_check_start_ts >= ANNOUNCE_WAIT ||
         garp.send_stats[ASEND_COLLISION_CHECK].count >= arp_probe_num)
     {
         char clibuf[INET_ADDRSTRLEN];

arp.h

@@ -28,10 +28,10 @@ struct arpMsg {
     uint8_t  pad[18];       // 2a pad for min. ethernet payload (60 bytes)
 };
 
-extern int arp_probe_wait;
-extern int arp_probe_num;
-extern int arp_probe_min;
-extern int arp_probe_max;
+extern unsigned arp_probe_wait;
+extern unsigned arp_probe_num;
+extern unsigned arp_probe_min;
+extern unsigned arp_probe_max;
 
 typedef enum {
     AS_NONE = 0,        // Nothing to react to wrt ARP
@@ -55,7 +55,7 @@ typedef enum {
 
 struct arp_stats {
     long long ts;
-    int count;
+    unsigned count;
 };
 
 struct arp_data {
@@ -68,7 +68,7 @@ struct arp_data {
                                   // AS_COLLISION_CHECK state.
     unsigned int total_conflicts; // Total number of address conflicts on
                                   // the interface.  Never decreases.
-    int gw_check_initpings;       // Initial count of ASEND_GW_PING when
+    unsigned gw_check_initpings;  // Initial count of ASEND_GW_PING when
                                   // AS_GW_CHECK was entered.
     uint16_t probe_wait_time;     // Time to wait for a COLLISION_CHECK reply
                                   // (in ms?).

cfg.rl

@@ -108,15 +108,17 @@ struct cfgparse {
     action arp_probe_wait {
         int t = atoi(ccfg.buf);
         if (t >= 0)
-            arp_probe_wait = t;
+            arp_probe_wait = (unsigned)t;
     }
     action arp_probe_num {
         int t = atoi(ccfg.buf);
         if (t >= 0)
-            arp_probe_num = t;
+            arp_probe_num = (unsigned)t;
     }
     action arp_probe_min {
-        int t = atoi(ccfg.buf);
+        int ti = atoi(ccfg.buf);
+        if (ti >= 0) {
+            unsigned t = (unsigned)ti;
             arp_probe_min = t;
             if (arp_probe_min > arp_probe_max) {
                 t = arp_probe_max;
@@ -124,8 +126,11 @@ struct cfgparse {
                 arp_probe_min = t;
             }
         }
+    }
     action arp_probe_max {
-        int t = atoi(ccfg.buf);
+        int ti = atoi(ccfg.buf);
+        if (ti >= 0) {
+            unsigned t = (unsigned)ti;
             arp_probe_max = t;
             if (arp_probe_min > arp_probe_max) {
                 t = arp_probe_max;
@@ -133,6 +138,7 @@ struct cfgparse {
                 arp_probe_min = t;
             }
         }
+    }
     action gw_metric {
         char *q;
         long mt = strtol(ccfg.buf, &q, 10);

options.c

@@ -9,9 +9,9 @@
 
 #include "options.h"
 
-static int do_overload_value(const uint8_t *buf, ssize_t blen, int overload)
+static int do_overload_value(const uint8_t *buf, size_t blen, int overload)
 {
-    ssize_t i = 0;
+    size_t i = 0;
     while (i < blen) {
         if (buf[i] == DCODE_PADDING) {
             ++i;
@@ -19,7 +19,7 @@ static int do_overload_value(const uint8_t *buf, ssize_t blen, int overload)
         }
         if (buf[i] == DCODE_END)
             break;
-        if (i >= blen - 2)
+        if (i + 2 >= blen)
             break;
         if (buf[i] == DCODE_OVERLOAD) {
             if (buf[i+1] == 1) {