From 9ac5e232214b728f675a44c43e61986ff9245b57 Mon Sep 17 00:00:00 2001
From: Nikolay Martynov <mar.kolya@gmail.com>
Date: Fri, 12 May 2017 19:57:29 -0400
Subject: [PATCH] Do not drop vpn connection if packet arrived is larger than
 MTU

Sometimes server sends us packets that are larger than negotiated MTU.
Current implementation bails out in this case.
This patch makes openconnect to reserve space and handle incoming packets
that have size up to 16384 (to match CSTP).

This improves connection stability.

Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---
 oncp.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/oncp.c b/oncp.c
index 3c7cfa1e..2a2e354e 100644
--- a/oncp.c
+++ b/oncp.c
@@ -925,8 +925,12 @@ int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 	   fairly unlikely situation, until the write backlog clears. */
 	while (1) {
 		int len, kmp, kmplen, iplen;
+		/* Some servers send us packets that are larger than
+		   negitiated MTU. We reserve some estra space to
+		   handle that */
+		int receive_mtu = MAX(16384, vpninfo->ip_info.mtu);
 
-		len = vpninfo->ip_info.mtu + vpninfo->pkt_trailer;
+		len = receive_mtu + vpninfo->pkt_trailer;
 		if (!vpninfo->cstp_pkt) {
 			vpninfo->cstp_pkt = malloc(sizeof(struct pkt) + len);
 			if (!vpninfo->cstp_pkt) {
@@ -967,7 +971,7 @@ int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 		 * the amount of data received *including* the KMP header. */
 		len = oncp_record_read(vpninfo,
 				       vpninfo->cstp_pkt->oncp.kmp + vpninfo->cstp_pkt->len,
-				       vpninfo->ip_info.mtu + 20 - vpninfo->cstp_pkt->len);
+				       receive_mtu + 20 - vpninfo->cstp_pkt->len);
 		if (!len)
 			break;
 		else if (len < 0) {
@@ -1011,7 +1015,7 @@ int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 				goto unknown_pkt;
 			}
 
-			if (!iplen || iplen > vpninfo->ip_info.mtu || iplen > kmplen)
+			if (!iplen || iplen > receive_mtu || iplen > kmplen)
 				goto badiplen;
 
 			if (iplen > vpninfo->cstp_pkt->len - 20)
@@ -1055,7 +1059,7 @@ int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 
 		case 302:
 			/* Should never happen; if it does we'll have to cope */
-			if (kmplen > vpninfo->ip_info.mtu)
+			if (kmplen > receive_mtu)
 				goto unknown_pkt;
 			/* Probably never happens. We need it in its own record.
 			 * If I fix oncp_receive_espkeys() not to reuse cstp_pkt