[PATCH] check for oversize ESP packets, with 256 bytes of headroom above calculated MTU

Tue Mar 27 08:39:58 PDT 2018

From: Daniel Lenski <dlenski at gmail.com>

Because GlobalProtect VPNs have no practical mechanism for negotiating the
MTU whatsoever, it is entirely based on a client-side guess.  Therefore,
extra headroom is needed to reliably receive packets via both the HTTPS and
the ESP tunnels.

A similar patch by Nikolay Martynov <mar.kolya at gmail.com> was originally
applied for the Juniper HTTPS tunnel:
http://lists.infradead.org/pipermail/openconnect-devel/2017-May/004320.html

And similar functionality was incorporated into the GlobalProtect HTTPS
tunnel as well (gpst.c).

This patch adds the extra headroom for the ESP tunnel (used by both Juniper
and GlobalProtect VPNs) as well, after unexpectedly-large ESP packets were
observed "in the wild":
https://github.com/dlenski/openconnect/issues/96

Signed-off-by: Dan Lenski <dlenski at gmail.com>
---
 esp.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/esp.c b/esp.c
index 80b4723d..e230bda7 100644
--- a/esp.c
+++ b/esp.c
@@ -249,6 +249,7 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 	struct esp *esp = &vpninfo->esp_in[vpninfo->current_esp_in];
 	struct esp *old_esp = &vpninfo->esp_in[vpninfo->current_esp_in ^ 1];
 	struct pkt *this;
+	int receive_mtu = MAX(2048, vpninfo->ip_info.mtu + 256);
 	int work_done = 0;
 	int ret;
 
@@ -264,7 +265,7 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 		return 0;
 
 	while (1) {
-		int len = vpninfo->ip_info.mtu + vpninfo->pkt_trailer;
+		int len = receive_mtu + vpninfo->pkt_trailer;
 		int i;
 		struct pkt *pkt;
 
@@ -346,8 +347,8 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 			}
 		}
 		if (pkt->data[len - 1] == 0x05) {
-			struct pkt *newpkt = malloc(sizeof(*pkt) + vpninfo->ip_info.mtu + vpninfo->pkt_trailer);
-			int newlen = vpninfo->ip_info.mtu;
+			struct pkt *newpkt = malloc(sizeof(*pkt) + receive_mtu + vpninfo->pkt_trailer);
+			int newlen = receive_mtu;
 			if (!newpkt) {
 				vpn_progress(vpninfo, PRG_ERR,
 					     _("Failed to allocate memory to decrypt ESP packet\n"));
@@ -360,7 +361,7 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 				free(newpkt);
 				continue;
 			}
-			newpkt->len = vpninfo->ip_info.mtu - newlen;
+			newpkt->len = receive_mtu - newlen;
 			vpn_progress(vpninfo, PRG_TRACE,
 				     _("LZO decompressed %d bytes into %d\n"),
 				     len - 2 - pkt->data[len-2], newpkt->len);
-- 
2.16.2


