From d359412abd048b9b00dba631ec552e2f74038b48 Mon Sep 17 00:00:00 2001 From: Corey Wright Date: Sun, 11 Aug 2019 05:00:04 -0500 Subject: [PATCH] Only add packet to oNCP control queue with nc and pulse protocols Don't add packets to the oNCP control queue if not using Juniper Network Connect or Pulse Connect Secure protocols otherwise a number of packets equal to the maximum queue length can be queued and disable reading from the TUN device for the duration of the VPN connection because the packets will never get dequeued except when using those two protocols. Commit b4f50f8 broke OpenConnect transmitting across the GlobalProtect protocol with ESP packets when: 1. The tun device has an IPv6 address (eg link local). 2. IPv6 packets (eg router solicitation) are transmitted in quantity equal to maximum queue length. Signed-off-by: Corey Wright --- esp.c | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/esp.c b/esp.c index 2f2c0da30..5c9e196db 100644 --- a/esp.c +++ b/esp.c @@ -302,27 +302,31 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable) this = vpninfo->deflate_pkt; len = this->len; } else { - uint8_t dontsend; - this = dequeue_packet(&vpninfo->outgoing_queue); if (!this) break; - /* Pulse can only accept ESP of the same protocol as the one you - * connected to it with. The other has to go over IF-T/TLS. */ - if (vpninfo->dtls_addr->sa_family == AF_INET6) - dontsend = 0x40; - else - dontsend = 0x60; - - if ( (this->data[0] & 0xf0) == dontsend) { - store_be32(&this->pulse.vendor, 0xa4c); - store_be32(&this->pulse.type, 4); - store_be32(&this->pulse.len, this->len + 16); - queue_packet(&vpninfo->oncp_control_queue, this); - work_done = 1; - continue; + if (!strcmp(vpninfo->proto->name, "nc") || + !strcmp(vpninfo->proto->name, "pulse")) { + uint8_t dontsend; + + /* Pulse can only accept ESP of the same protocol as the one you + * connected to it with. The other has to go over IF-T/TLS. */ + if (vpninfo->dtls_addr->sa_family == AF_INET6) + dontsend = 0x40; + else + dontsend = 0x60; + + if ( (this->data[0] & 0xf0) == dontsend) { + store_be32(&this->pulse.vendor, 0xa4c); + store_be32(&this->pulse.type, 4); + store_be32(&this->pulse.len, this->len + 16); + queue_packet(&vpninfo->oncp_control_queue, this); + work_done = 1; + continue; + } } + len = construct_esp_packet(vpninfo, this, 0); if (len < 0) { /* Should we disable ESP? */ -- GitLab