[PATCH 3/3] Drop packets that are too large without dropping connection

Daniel Lenski dlenski at gmail.com
Sun May 14 16:28:45 PDT 2017


On Sun, May 14, 2017 at 12:12 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Sat, 2017-05-13 at 18:56 -0400, Nikolay Martynov wrote:
> Thanks for the patches. This whole thing has made me a bit sad about
> the packet handling; I think I want to put an explicit 'allocated size'
> field into struct pkt so we don't ever have to make assumptions. This
> has caused problems for CSTP before.
>
> Long plane ride ahead of me today; I'll make sure I'm set up to do
> this, and also finally merge Daniel's GP support, while I'm locked in a
> tin can...

Great! Just be aware that my "globalprotect" branch
(https://github.com/dlenski/openconnect/tree/globalprotect) now
includes more than JUST GlobalProtect changes:

- A couple small modifications to the dtls_state handling (see
e5a0e4d4417062bb88e590660c67946e5c295c38 and
a93bbd76ea32ac81b6c2d6fb405f9b815b37eaf5) to accommodate the fact that
GlobalProtect has to do an awkward tap-dance between the SSL and ESP
tunnel setup to prevent them from stepping on each others' toes.

- I merged my patch to securely log off a Juniper VPN connection with
oncp_bye (5a5b224f2839056ac87bfa3dd621c35b7073f856). openconnect v7.08
leaves the Juniper authcookie "alive" even with SIGINT, which is an
unexpected security hazard.

- A patch to add OC_FORM_OPT_FILL_{USERNAME,PASSWORD} flags to hint at
the purpose of a form field, without requiring that field to have an
AnyConnect-specific name (85c1e35dc276c158710cc32c9d9c5c2108a3a09d)

- The support for enumeration of supported protocols which we've been
discussing (merged in 005bca167453a9a6545cb7a85781fae36f86c4a4)

- A few patches to make utility functions global rather than static
(e.g. free_optlist, dump_buf_hex) so that they can be reused among
multiple protocols.

I've been using this build of openconnect with *multiple* AnyConnect
and *multiple* Juniper VPNs for months, and they're all now working
fine. But if you want me to try to rearrange these to separate them
more cleanly, I can take a crack at it.

-Dan



More information about the openconnect-devel mailing list