@@ -44,7 +44,7 @@
* if yes, hand to mss_fixup_dowork()
*/
void
-mss_fixup_ipv4(struct buffer *buf, int maxmss)
+mss_fixup_ipv4(struct buffer *buf, uint16_t maxmss)
{
const struct openvpn_iphdr *pip;
int hlen;
@@ -72,7 +72,7 @@
struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf);
if (tc->flags & OPENVPN_TCPH_SYN_MASK)
{
- mss_fixup_dowork(&newbuf, (uint16_t) maxmss);
+ mss_fixup_dowork(&newbuf, maxmss);
}
}
}
@@ -84,7 +84,7 @@
* (IPv6 header structure is sufficiently different from IPv4...)
*/
void
-mss_fixup_ipv6(struct buffer *buf, int maxmss)
+mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss)
{
const struct openvpn_ipv6hdr *pip6;
struct buffer newbuf;
@@ -130,7 +130,7 @@
struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf);
if (tc->flags & OPENVPN_TCPH_SYN_MASK)
{
- mss_fixup_dowork(&newbuf, (uint16_t) maxmss-20);
+ mss_fixup_dowork(&newbuf, maxmss-20);
}
}
}
@@ -191,13 +191,14 @@
{
continue;
}
- mssval = (opt[2]<<8)+opt[3];
+ mssval = opt[2] << 8;
+ mssval += opt[3];
if (mssval > maxmss)
{
- dmsg(D_MSS, "MSS: %d -> %d", (int) mssval, (int) maxmss);
+ dmsg(D_MSS, "MSS: %" PRIu16 " -> %" PRIu16, mssval, maxmss);
accumulate = htons(mssval);
- opt[2] = (maxmss>>8)&0xff;
- opt[3] = maxmss&0xff;
+ opt[2] = (uint8_t)((maxmss>>8)&0xff);
+ opt[3] = (uint8_t)(maxmss&0xff);
accumulate -= htons(maxmss);
ADJUST_CHECKSUM(accumulate, tc->check);
}
@@ -291,7 +292,7 @@
{
/* we subtract IPv4 and TCP overhead here, mssfix method will add the
* extra 20 for IPv6 */
- frame->mss_fix = options->ce.mssfix - (20 + 20);
+ frame->mss_fix = (uint16_t)(options->ce.mssfix - (20 + 20));
return;
}
@@ -325,7 +326,7 @@
/* This is the target value our payload needs to be smaller */
unsigned int target = options->ce.mssfix - overhead;
- frame->mss_fix = adjust_payload_max_cbc(kt, target) - payload_overhead;
+ frame->mss_fix = (uint16_t)(adjust_payload_max_cbc(kt, target) - payload_overhead);
}
@@ -29,9 +29,9 @@
#include "mtu.h"
#include "ssl_common.h"
-void mss_fixup_ipv4(struct buffer *buf, int maxmss);
+void mss_fixup_ipv4(struct buffer *buf, uint16_t maxmss);
-void mss_fixup_ipv6(struct buffer *buf, int maxmss);
+void mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss);
void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss);
@@ -203,7 +203,7 @@
buf_printf(&out, "%s ", prefix);
}
buf_printf(&out, "[");
- buf_printf(&out, " mss_fix:%d", frame->mss_fix);
+ buf_printf(&out, " mss_fix:%" PRIu16, frame->mss_fix);
#ifdef ENABLE_FRAGMENT
buf_printf(&out, " max_frag:%d", frame->max_fragment_size);
#endif
@@ -115,7 +115,7 @@
* decryption/encryption or compression. */
} buf;
- unsigned int mss_fix; /**< The actual MSS value that should be
+ uint16_t mss_fix; /**< The actual MSS value that should be
* written to the payload packets. This
* is the value for IPv4 TCP packets. For
* IPv6 packets another 20 bytes must
@@ -7234,9 +7234,19 @@
VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
if (p[1])
{
+ int mssfix = positive_atoi(p[1]);
+ /* can be 0, but otherwise it needs to be high enough so we can
+ * substract room for headers. */
+ if (mssfix != 0
+ && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX))
+ {
+ msg(msglevel, "--mssfix value '%s' is invalid", p[1]);
+ goto err;
+ }
+
/* value specified, assume encapsulation is not
* included unless "mtu" follows later */
- options->ce.mssfix = positive_atoi(p[1]);
+ options->ce.mssfix = mssfix;
options->ce.mssfix_encap = false;
options->ce.mssfix_default = false;
}