On Sat, Jan 6, 2018 at 4:01 PM, Chaskiel Grundman <cgrundman at gmail.com> wrote: > I did not test your patch, though I assume it would work, because I > did not want to reinforce the idea that the VPN gateway is doing > something wrong. Instead, I continued my own investigation. > > It turns out that in gnutls 3.5.8, gnutls_dtls_get_data_mtu() does not > return the same value that was passed to gnutls_dtls_set_data_mtu(): Could you be more specific which code path you are referring to? As far as I see openconnect seems to call gnutls_dtls_set_mtu(), as well as gnutls_dtls_set_data_mtu() on different code paths. > I assume this is because when gnutls_dtls_get_data_mtu tries to > recover the data mtu from the internal mtu, it calculates the overhead > based on the currently set internal mtu, not the originally requested > data mtu. If the padding for those sizes is different, the wrong > result will be returned. The set_data_mtu() sets the number of bytes that can be transferred encapsulated within DTLS layer. The set_mtu() sets instead the maximum number of bytes that a DTLS message can be. > I think that openconnect should try to detect over-large incoming DTLS > packets and log or discard them. That's an option too. Failing as it is now, is quite sub-optimal. regards, Nikos
