diff options
author | Kristof Provost <kp@FreeBSD.org> | 2022-09-21 10:17:34 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2022-09-21 19:44:59 +0000 |
commit | 9dfbbc919fd768cff8079af1e458d2c5d5211690 (patch) | |
tree | 81612e4bc913c8e4d9cd45f896e466a479aff4e9 | |
parent | 8ea48fc59eaf475aa7d92f07db9b36370c349f3f (diff) | |
download | src-9dfbbc919fd768cff8079af1e458d2c5d5211690.tar.gz src-9dfbbc919fd768cff8079af1e458d2c5d5211690.zip |
if_ovpn: remove incorrect rounding up of packet sizes
The ciphers used by OpenVPN (DCO) do not require data to be block-sized.
Do not round up to AES_BLOCK_LEN, as this can lead to issues with
fragmented packets.
Reported by: Gert Doering <gert@greenie.muc.de>
Sponsored by: Rubicon Communications, LLC ("Netgate")
-rw-r--r-- | sys/net/if_ovpn.c | 15 |
1 files changed, 3 insertions, 12 deletions
diff --git a/sys/net/if_ovpn.c b/sys/net/if_ovpn.c index 9e0829d996ce..e2b8322d6df5 100644 --- a/sys/net/if_ovpn.c +++ b/sys/net/if_ovpn.c @@ -1557,8 +1557,6 @@ ovpn_decrypt_rx_cb(struct cryptop *crp) return (0); } -static uint8_t EMPTY_BUFFER[AES_BLOCK_LEN]; - static int ovpn_get_af(struct mbuf *m) { @@ -1729,7 +1727,7 @@ ovpn_transmit_to_peer(struct ifnet *ifp, struct mbuf *m, struct ovpn_softc *sc; struct cryptop *crp; uint32_t af, seq; - size_t len, real_len, ovpn_hdr_len; + size_t len, ovpn_hdr_len; int tunnel_len; int ret; @@ -1752,19 +1750,12 @@ ovpn_transmit_to_peer(struct ifnet *ifp, struct mbuf *m, if (af != 0) BPF_MTAP2(ifp, &af, sizeof(af), m); - real_len = len = m->m_pkthdr.len; - MPASS(real_len <= ifp->if_mtu); + len = m->m_pkthdr.len; + MPASS(len <= ifp->if_mtu); ovpn_hdr_len = sizeof(struct ovpn_wire_header); if (key->encrypt->cipher == OVPN_CIPHER_ALG_NONE) ovpn_hdr_len -= 16; /* No auth tag. */ - else { - /* Round up the len to a multiple of our block size. */ - len = roundup2(real_len, AES_BLOCK_LEN); - - /* Now extend the mbuf. */ - m_append(m, len - real_len, EMPTY_BUFFER); - } M_PREPEND(m, ovpn_hdr_len, M_NOWAIT); if (m == NULL) { |