Fix size of type 2 probe replies.

[tinc] / src / net_packet.c

diff --git a/src/net_packet.c b/src/net_packet.c
index 37535c1..f219287 100644 (file)
--- a/src/net_packet.c
+++ b/src/net_packet.c
@@ -110,7 +110,7 @@ static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
                        gettimeofday(&now, NULL);
                        uint32_t sec = htonl(now.tv_sec); memcpy(data, &sec, 4); data += 4;
                        uint32_t usec = htonl(now.tv_usec); memcpy(data, &usec, 4); data += 4;
-                       packet->len -= 10;
+                       packet->len = 14; // Minimum size for any probe packet.
                } else {
                        /* Legacy protocol: n won't understand type 2 probe replies. */
                        DATA(packet)[0] = 1;
@@ -929,6 +929,25 @@ static length_t choose_initial_maxmtu(node_t *n) {
                mtu -= SPTPS_DATAGRAM_OVERHEAD;
                if((n->options >> 24) >= 4)
                        mtu -= sizeof(node_id_t) + sizeof(node_id_t);
+       } else {
+               mtu -= digest_length(n->outdigest);
+
+               /* Now it's tricky. We use CBC mode, so the length of the
+                  encrypted payload must be a multiple of the blocksize. The
+                  sequence number is also part of the encrypted payload, so we
+                  must account for it after correcting for the blocksize.
+                  Furthermore, the padding in the last block must be at least
+                  1 byte. */
+
+               length_t blocksize = cipher_blocksize(n->outcipher);
+
+               if(blocksize > 1) {
+                       mtu /= blocksize;
+                       mtu *= blocksize;
+                       mtu--;
+               }
+
+               mtu -= 4; // seqno
        }
 
        if (mtu < 512) {