From: Daniel Lenski <dlen...@gmail.com> Because GlobalProtect VPNs have no practical mechanism for negotiating the MTU whatsoever, it is entirely based on a client-side guess. Therefore, extra headroom is needed to reliably receive packets via both the HTTPS and the ESP tunnels.
A similar patch by Nikolay Martynov <mar.ko...@gmail.com> was originally applied for the Juniper HTTPS tunnel: http://lists.infradead.org/pipermail/openconnect-devel/2017-May/004320.html And similar functionality was incorporated into the GlobalProtect HTTPS tunnel as well (gpst.c). This patch adds the extra headroom for the ESP tunnel (used by both Juniper and GlobalProtect VPNs) as well, after unexpectedly-large ESP packets were observed "in the wild": https://github.com/dlenski/openconnect/issues/96 Signed-off-by: Dan Lenski <dlen...@gmail.com> --- esp.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/esp.c b/esp.c index 80b4723d..e230bda7 100644 --- a/esp.c +++ b/esp.c @@ -249,6 +249,7 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout) struct esp *esp = &vpninfo->esp_in[vpninfo->current_esp_in]; struct esp *old_esp = &vpninfo->esp_in[vpninfo->current_esp_in ^ 1]; struct pkt *this; + int receive_mtu = MAX(2048, vpninfo->ip_info.mtu + 256); int work_done = 0; int ret; @@ -264,7 +265,7 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout) return 0; while (1) { - int len = vpninfo->ip_info.mtu + vpninfo->pkt_trailer; + int len = receive_mtu + vpninfo->pkt_trailer; int i; struct pkt *pkt; @@ -346,8 +347,8 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout) } } if (pkt->data[len - 1] == 0x05) { - struct pkt *newpkt = malloc(sizeof(*pkt) + vpninfo->ip_info.mtu + vpninfo->pkt_trailer); - int newlen = vpninfo->ip_info.mtu; + struct pkt *newpkt = malloc(sizeof(*pkt) + receive_mtu + vpninfo->pkt_trailer); + int newlen = receive_mtu; if (!newpkt) { vpn_progress(vpninfo, PRG_ERR, _("Failed to allocate memory to decrypt ESP packet\n")); @@ -360,7 +361,7 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout) free(newpkt); continue; } - newpkt->len = vpninfo->ip_info.mtu - newlen; + newpkt->len = receive_mtu - newlen; vpn_progress(vpninfo, PRG_TRACE, _("LZO decompressed %d bytes into %d\n"), len - 2 - pkt->data[len-2], newpkt->len); -- 2.16.2 _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
