04df865e49
- Added interop patch for (some?) Cisco VPN clients sending 16 zero bytes of extraneous IKE data - Removed fipscheck_version
45 lines
1.5 KiB
Diff
45 lines
1.5 KiB
Diff
commit 08f735e881d314f5b38b55cbc8a9d7abdb9b18f8
|
|
Author: Paul Wouters <pwouters@redhat.com>
|
|
Date: Sun Jul 14 13:27:39 2013 -0400
|
|
|
|
pluto: work around for Cisco VPN clients sending extraneous bytes
|
|
|
|
diff --git a/programs/pluto/demux.c b/programs/pluto/demux.c
|
|
index cc4be99..1ae2f40 100644
|
|
--- a/programs/pluto/demux.c
|
|
+++ b/programs/pluto/demux.c
|
|
@@ -146,12 +146,29 @@ void process_packet(struct msg_digest **mdp)
|
|
}
|
|
}
|
|
|
|
- if (md->packet_pbs.roof != md->message_pbs.roof) {
|
|
+ if (md->packet_pbs.roof < md->message_pbs.roof) {
|
|
libreswan_log(
|
|
- "size (%u) differs from size specified in ISAKMP HDR (%u)",
|
|
- (unsigned) pbs_room(
|
|
- &md->packet_pbs), md->hdr.isa_length);
|
|
+ "received packet size (%u) is smaller than from "
|
|
+ "size specified in ISAKMP HDR (%u) - packet dropped",
|
|
+ (unsigned) pbs_room(&md->packet_pbs),
|
|
+ md->hdr.isa_length);
|
|
+ /* abort processing corrupt packet */
|
|
return;
|
|
+ } else if (md->packet_pbs.roof > md->message_pbs.roof) {
|
|
+ /*
|
|
+ * Some (old?) versions of the Cisco VPN client send an additional
|
|
+ * 16 bytes of zero bytes - Complain but accept it
|
|
+ */
|
|
+ DBG(DBG_CONTROL, {
|
|
+ DBG_log(
|
|
+ "size (%u) in received packet is larger than the size "
|
|
+ "specified in ISAKMP HDR (%u) - ignoring extraneous bytes",
|
|
+ (unsigned) pbs_room(&md->packet_pbs),
|
|
+ md->hdr.isa_length);
|
|
+ DBG_dump("extraneous bytes:", md->message_pbs.roof,
|
|
+ md->packet_pbs.roof - md->message_pbs.roof);
|
|
+ /* continue */
|
|
+ });
|
|
}
|
|
|
|
maj = (md->hdr.isa_version >> ISA_MAJ_SHIFT);
|