1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single TCP/UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
* packet encryption, packet authentication, and
* packet compression.
*
* Copyright (C) 2002-2008 OpenVPN Solutions LLC <info@openvpn.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program (see the file COPYING included with this
* distribution); if not, write to the Free Software Foundation, Inc.,
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "syshead.h"
#include "error.h"
#include "mss.h"
#include "memdbg.h"
/*
* Lower MSS on TCP SYN packets to fix MTU
* problems which arise from protocol
* encapsulation.
*/
void
mss_fixup (struct buffer *buf, int maxmss)
{
const struct openvpn_iphdr *pip;
int hlen;
if (BLEN (buf) < (int) sizeof (struct openvpn_iphdr))
return;
verify_align_4 (buf);
pip = (struct openvpn_iphdr *) BPTR (buf);
hlen = OPENVPN_IPH_GET_LEN (pip->version_len);
if (pip->protocol == OPENVPN_IPPROTO_TCP
&& ntohs (pip->tot_len) == BLEN (buf)
&& (ntohs (pip->frag_off) & OPENVPN_IP_OFFMASK) == 0
&& hlen <= BLEN (buf)
&& BLEN (buf) - hlen
>= (int) sizeof (struct openvpn_tcphdr))
{
struct buffer newbuf = *buf;
if (buf_advance (&newbuf, hlen))
{
struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR (&newbuf);
if (tc->flags & OPENVPN_TCPH_SYN_MASK)
mss_fixup_dowork (&newbuf, (uint16_t) maxmss);
}
}
}
void
mss_fixup_dowork (struct buffer *buf, uint16_t maxmss)
{
int hlen, olen, optlen;
uint8_t *opt;
uint16_t *mss;
int accumulate;
struct openvpn_tcphdr *tc;
ASSERT (BLEN (buf) >= (int) sizeof (struct openvpn_tcphdr));
verify_align_4 (buf);
tc = (struct openvpn_tcphdr *) BPTR (buf);
hlen = OPENVPN_TCPH_GET_DOFF (tc->doff_res);
/* Invalid header length or header without options. */
if (hlen <= (int) sizeof (struct openvpn_tcphdr)
|| hlen > BLEN (buf))
return;
for (olen = hlen - sizeof (struct openvpn_tcphdr),
opt = (uint8_t *)(tc + 1);
olen > 0;
olen -= optlen, opt += optlen) {
if (*opt == OPENVPN_TCPOPT_EOL)
break;
else if (*opt == OPENVPN_TCPOPT_NOP)
optlen = 1;
else {
optlen = *(opt + 1);
if (optlen <= 0 || optlen > olen)
break;
if (*opt == OPENVPN_TCPOPT_MAXSEG) {
if (optlen != OPENVPN_TCPOLEN_MAXSEG)
continue;
mss = (uint16_t *)(opt + 2);
if (ntohs (*mss) > maxmss) {
dmsg (D_MSS, "MSS: %d -> %d",
(int) ntohs (*mss),
(int) maxmss);
accumulate = *mss;
*mss = htons (maxmss);
accumulate -= *mss;
ADJUST_CHECKSUM (accumulate, tc->check);
}
}
}
}
}
|