Bug 1729693 - openconnect drop vpn connection if packet arrived is larger than MTU and larger than 16384 (Juniper / Pulse)
Summary: openconnect drop vpn connection if packet arrived is larger than MTU and larg...
Alias: None
Product: Fedora
Classification: Fedora
Component: openconnect
Version: 30
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: David Woodhouse
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2019-07-13 15:26 UTC by Roberto Nunin
Modified: 2019-07-24 11:17 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Roberto Nunin 2019-07-13 15:26:55 UTC
Description of problem: 
openconnect VPN ends immediately, when server respond with packets larger that 16384. in my case 20522.

Version-Release number of selected component (if applicable): openconnect-8.02-3.fc30.x86_64

How reproducible: Not sure this happen with all Juniper/Pulse secure appliances, in our case it happen with the newest one, while with the oldest, don't happen.

Steps to Reproduce:
1. start openconnect --protocol=nc https:<VPN URL>>
2. login into VPN server
3. connection ends with : KMP message 301 from server too large (20552 bytes)

Actual results: connection ends.

Expected results: connection must stay, managing extra-size packets.

Additional info: Newest VPN appliance has enabled "Host Checker" functionalities. The appliance is out of mine control, so I cannot test it without "Host Checker" functionality.

Comment 1 David Woodhouse 2019-07-15 08:58:33 UTC
If you just change the bytes[16384] to bytes[32768] at the beginning of the oncp_connect() function in oncp.c does it work?

Comment 2 Roberto Nunin 2019-07-16 19:54:02 UTC
yes, a little bit tricky to build, but it works.

Comment 3 David Woodhouse 2019-07-22 11:48:48 UTC
Thanks for testing. I'll do that in the upcoming 8.04 release. I'd quite like to know what's in that huge config packet though.

At the beginning of the parse_conf_pkt() function there is a length check followed by a call to dump_buf_hex() to dump the whole packet.

Please could you make it dump the packet unconditionally (just cut and paste that line under the closing curly brace } of the 'if (kmpend > pktlen) {' block) and mail it to dwmw2@infradead.org please.

I'll work out if 32768 is sane or if we should be going higher or even making it dynamic.

Comment 4 David Woodhouse 2019-07-24 11:17:15 UTC
I have committed a fix. I'll do an OpenConnect 8.04 release fairly soon and ship updates to Fedora.
In the meantime, it should shortly be built in the COPR at https://copr.fedorainfracloud.org/coprs/dwmw2/openconnect/

Note You need to log in before you can comment on or make changes to this bug.