From 613f4a7c9fda4dd6f0063caefab6c03d4a628667 Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Mon, 9 Oct 2023 12:51:51 +0200 Subject: [PATCH] Change type of frame.mss_fix to uint16_t Since in the end this always ends up as an uint16_t anyway, just make the conversion much earlier. Cleans up the code and removes some -Wconversion warnings. v2: - proper error handling in options.c v4: - also introduce a minimum mssfix Change-Id: Id8321dfbb8ad8d79f4bb2a9da61f8cd6b6c6ee26 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Message-Id: <20231009105151.34074-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/search?l=mid&q=20231009105151.34074-1-frank@lichtenheld.com Signed-off-by: Gert Doering --- src/openvpn/mss.c | 21 +++++++++++---------- src/openvpn/mss.h | 4 ++-- src/openvpn/mtu.c | 2 +- src/openvpn/mtu.h | 2 +- src/openvpn/options.c | 12 +++++++++++- 5 files changed, 26 insertions(+), 15 deletions(-) diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index 816e65b6d9a..42270472180 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -44,7 +44,7 @@ * if yes, hand to mss_fixup_dowork() */ void -mss_fixup_ipv4(struct buffer *buf, int maxmss) +mss_fixup_ipv4(struct buffer *buf, uint16_t maxmss) { const struct openvpn_iphdr *pip; int hlen; @@ -72,7 +72,7 @@ mss_fixup_ipv4(struct buffer *buf, int maxmss) struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf); if (tc->flags & OPENVPN_TCPH_SYN_MASK) { - mss_fixup_dowork(&newbuf, (uint16_t) maxmss); + mss_fixup_dowork(&newbuf, maxmss); } } } @@ -84,7 +84,7 @@ mss_fixup_ipv4(struct buffer *buf, int maxmss) * (IPv6 header structure is sufficiently different from IPv4...) */ void -mss_fixup_ipv6(struct buffer *buf, int maxmss) +mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss) { const struct openvpn_ipv6hdr *pip6; struct buffer newbuf; @@ -130,7 +130,7 @@ mss_fixup_ipv6(struct buffer *buf, int maxmss) struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR(&newbuf); if (tc->flags & OPENVPN_TCPH_SYN_MASK) { - mss_fixup_dowork(&newbuf, (uint16_t) maxmss-20); + mss_fixup_dowork(&newbuf, maxmss-20); } } } @@ -191,13 +191,14 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) { continue; } - mssval = (opt[2]<<8)+opt[3]; + mssval = opt[2] << 8; + mssval += opt[3]; if (mssval > maxmss) { - dmsg(D_MSS, "MSS: %d -> %d", (int) mssval, (int) maxmss); + dmsg(D_MSS, "MSS: %" PRIu16 " -> %" PRIu16, mssval, maxmss); accumulate = htons(mssval); - opt[2] = (maxmss>>8)&0xff; - opt[3] = maxmss&0xff; + opt[2] = (uint8_t)((maxmss>>8)&0xff); + opt[3] = (uint8_t)(maxmss&0xff); accumulate -= htons(maxmss); ADJUST_CHECKSUM(accumulate, tc->check); } @@ -291,7 +292,7 @@ frame_calculate_mssfix(struct frame *frame, struct key_type *kt, { /* we subtract IPv4 and TCP overhead here, mssfix method will add the * extra 20 for IPv6 */ - frame->mss_fix = options->ce.mssfix - (20 + 20); + frame->mss_fix = (uint16_t)(options->ce.mssfix - (20 + 20)); return; } @@ -325,7 +326,7 @@ frame_calculate_mssfix(struct frame *frame, struct key_type *kt, /* This is the target value our payload needs to be smaller */ unsigned int target = options->ce.mssfix - overhead; - frame->mss_fix = adjust_payload_max_cbc(kt, target) - payload_overhead; + frame->mss_fix = (uint16_t)(adjust_payload_max_cbc(kt, target) - payload_overhead); } diff --git a/src/openvpn/mss.h b/src/openvpn/mss.h index 1c4704bd1f5..b2a68cf740d 100644 --- a/src/openvpn/mss.h +++ b/src/openvpn/mss.h @@ -29,9 +29,9 @@ #include "mtu.h" #include "ssl_common.h" -void mss_fixup_ipv4(struct buffer *buf, int maxmss); +void mss_fixup_ipv4(struct buffer *buf, uint16_t maxmss); -void mss_fixup_ipv6(struct buffer *buf, int maxmss); +void mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss); void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss); diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 56db118d404..81851d38228 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -203,7 +203,7 @@ frame_print(const struct frame *frame, buf_printf(&out, "%s ", prefix); } buf_printf(&out, "["); - buf_printf(&out, " mss_fix:%d", frame->mss_fix); + buf_printf(&out, " mss_fix:%" PRIu16, frame->mss_fix); #ifdef ENABLE_FRAGMENT buf_printf(&out, " max_frag:%d", frame->max_fragment_size); #endif diff --git a/src/openvpn/mtu.h b/src/openvpn/mtu.h index b602b86b5f2..c64398de842 100644 --- a/src/openvpn/mtu.h +++ b/src/openvpn/mtu.h @@ -115,7 +115,7 @@ struct frame { * decryption/encryption or compression. */ } buf; - unsigned int mss_fix; /**< The actual MSS value that should be + uint16_t mss_fix; /**< The actual MSS value that should be * written to the payload packets. This * is the value for IPv4 TCP packets. For * IPv6 packets another 20 bytes must diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 134bb72eca9..2b68bac8c67 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -7236,9 +7236,19 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); if (p[1]) { + int mssfix = positive_atoi(p[1]); + /* can be 0, but otherwise it needs to be high enough so we can + * substract room for headers. */ + if (mssfix != 0 + && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX)) + { + msg(msglevel, "--mssfix value '%s' is invalid", p[1]); + goto err; + } + /* value specified, assume encapsulation is not * included unless "mtu" follows later */ - options->ce.mssfix = positive_atoi(p[1]); + options->ce.mssfix = mssfix; options->ce.mssfix_encap = false; options->ce.mssfix_default = false; }