main-ctl-unix: avg_auth_time is aggregated incorrectly across sec-mod instances

Type
Functional bug (non-security)

Affected version
Upstream 1.4.2

Impact
occtl show status reports an incorrect Average auth time when sec-mod-instance-count > 1, which can mislead operators during auth latency troubleshooting.

Current behavior
In method_status(), the loop overwrites rep.avg_auth_time on each iteration and then divides by instance count:

• overwrite: main-ctl-unix.c (line 230)
• divide: main-ctl-unix.c (line 233)

This effectively computes last_instance_avg / N.

Expected behavior
At minimum, aggregate all instance averages before dividing (sum(avg_i) / N).

Why this is a bug
A correct aggregation pattern already exists in-tree (stats reset path):

• accumulate: main-sec-mod-cmd.c (line 643)
• divide by count: main-sec-mod-cmd.c (line 647)

Minimal fix
In method_status(), change:

rep.avg_auth_time = ctx->s->sec_mod_instances[i].avg_auth_time;

to:

rep.avg_auth_time += ctx->s->sec_mod_instances[i].avg_auth_time;

and keep the existing division by sec_mod_instance_count.

Severity (self-assessment)
Low to Medium (observability/metrics correctness only; no auth bypass or memory safety impact).