[PATCH 3/3] Drop packets that are too large without dropping connection

[Nikolay Martynov]

Sometimes server sends us packets that are larger than negotiated MTU.
Current implementation bails out in this case.
This patch just makes openconnect to drop such packets and continue.
It looks like data stream from VPN server is generally correct - with
exception of packet being too large, so we can continue parsing further
packets.

This improves connection stability.

Signed-off-by: Nikolay Martynov <mar.kolya at gmail.com>
---
 mainloop.c | 10 ++++++++++
 oncp.c     |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/mainloop.c b/mainloop.c
index e8e9a78..ab87c95 100644
--- a/mainloop.c
+++ b/mainloop.c
@@ -94,6 +94,16 @@ int tun_mainloop(struct openconnect_info *vpninfo, int *timeout)
 
 	while ((this = dequeue_packet(&vpninfo->incoming_queue))) {
 
+		/* Some servers send us packets longer than MTU
+		despite the fact that we have negotiated MTU with
+		them. We will just drop such packets to avoid confusing
+		other places */
+		if (this->len > vpninfo->ip_info.mtu) {
+			vpn_progress(vpninfo, PRG_ERR, _("Got packet that is too long: %d, mtu: .\n"), this->len, vpninfo->ip_info.mtu);
+			free(this);
+			continue;
+		}
+
 		unmonitor_write_fd(vpninfo, tun);
 
 		if (os_write_tun(vpninfo, this)) {
diff --git a/oncp.c b/oncp.c
index 3c7cfa1..40ac1de 100644
--- a/oncp.c
+++ b/oncp.c
@@ -1011,7 +1011,7 @@ int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 				goto unknown_pkt;
 			}
 
-			if (!iplen || iplen > vpninfo->ip_info.mtu || iplen > kmplen)
+			if (!iplen || iplen > kmplen)
 				goto badiplen;
 
 			if (iplen > vpninfo->cstp_pkt->len - 20)
-- 
2.11.0