From ecf04b64be1fc835d5688a815e3ef40851242ffc Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sat, 6 Jan 2018 09:46:06 +0100
Subject: [PATCH] Allow the server to exceed the calculate MTU size by
 MTU_SLACK

That works around the issue that if we have an asymmetric MTU (different
for sending and receiving), that is not visible to either party. For that,
allow larger than MTU packets to be received.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 cstp.c                 | 9 +++++----
 dtls.c                 | 3 ++-
 openconnect-internal.h | 4 ++++
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/cstp.c b/cstp.c
index 5477c5c..5395446 100644
--- a/cstp.c
+++ b/cstp.c
@@ -729,7 +729,8 @@ static int cstp_reconnect(struct openconnect_info *vpninfo)
 int decompress_and_queue_packet(struct openconnect_info *vpninfo, int compr_type,
 				unsigned char *buf, int len)
 {
-	struct pkt *new = malloc(sizeof(struct pkt) + vpninfo->ip_info.mtu);
+	unsigned max = vpninfo->ip_info.mtu+MTU_SLACK;
+	struct pkt *new = malloc(sizeof(struct pkt) + max);
 	const char *comprname = "";
 
 	if (!new)
@@ -746,7 +747,7 @@ int decompress_and_queue_packet(struct openconnect_info *vpninfo, int compr_type
 		vpninfo->inflate_strm.avail_in = len - 4;
 
 		vpninfo->inflate_strm.next_out = new->data;
-		vpninfo->inflate_strm.avail_out = vpninfo->ip_info.mtu;
+		vpninfo->inflate_strm.avail_out = max;
 		vpninfo->inflate_strm.total_out = 0;
 
 		if (inflate(&vpninfo->inflate_strm, Z_SYNC_FLUSH)) {
@@ -768,7 +769,7 @@ int decompress_and_queue_packet(struct openconnect_info *vpninfo, int compr_type
 	} else if (compr_type == COMPR_LZS) {
 		comprname = "LZS";
 
-		new->len = lzs_decompress(new->data, vpninfo->ip_info.mtu, buf, len);
+		new->len = lzs_decompress(new->data, max, buf, len);
 		if (new->len < 0) {
 			len = new->len;
 			if (len == 0)
@@ -781,7 +782,7 @@ int decompress_and_queue_packet(struct openconnect_info *vpninfo, int compr_type
 #ifdef HAVE_LZ4
 	} else if (compr_type == COMPR_LZ4) {
 		comprname = "LZ4";
-		new->len = LZ4_decompress_safe((void *)buf, (void *)new->data, len, vpninfo->ip_info.mtu);
+		new->len = LZ4_decompress_safe((void *)buf, (void *)new->data, len, max);
 		if (new->len <= 0) {
 			len = new->len;
 			if (len == 0)
diff --git a/dtls.c b/dtls.c
index 80d6c05..13c2553 100644
--- a/dtls.c
+++ b/dtls.c
@@ -273,7 +273,8 @@ int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout)
 	}
 
 	while (1) {
-		int len = vpninfo->ip_info.mtu;
+		/* Allow the peer sending larger than MTU packets */
+		int len = vpninfo->ip_info.mtu + MTU_SLACK;
 		unsigned char *buf;
 
 		if (!vpninfo->dtls_pkt) {
diff --git a/openconnect-internal.h b/openconnect-internal.h
index 5b9a8d6..a91b8d1 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -118,6 +118,10 @@
 #define SHA1_SIZE 20
 #define MD5_SIZE 16
 
+/* The amount of bytes which the peer can exceed the MTU on its
+ * packets. */
+#define MTU_SLACK 256
+
 /* FreeBSD provides this in <sys/param.h>  */
 #ifndef MAX
 #define MAX(x,y) ((x)>(y))?(x):(y)
-- 
2.11.0