diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index 2461a20703a..d665ffadd1a 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -27,7 +27,7 @@ #include "basic.h" #include "error.h" -#define BUF_SIZE_MAX 1000000 +#define BUF_SIZE_MAX 2097152 // 2^21 /* * Define verify_align function, otherwise diff --git a/src/openvpn/common.h b/src/openvpn/common.h index f77685c8f32..aa3371ab9d3 100644 --- a/src/openvpn/common.h +++ b/src/openvpn/common.h @@ -66,7 +66,7 @@ typedef unsigned long ptr_type; * maximum size of a single TLS message (cleartext). * This parameter must be >= PUSH_BUNDLE_SIZE */ -#define TLS_CHANNEL_BUF_SIZE 2048 +#define TLS_CHANNEL_BUF_SIZE 262144 // 2^18 /* TLS control buffer minimum size * diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 1225b139591..56deeacffdb 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -40,7 +40,10 @@ #if defined(ENABLE_PKCS11) || defined(ENABLE_MANAGEMENT) #define ERR_BUF_SIZE 10240 #else -#define ERR_BUF_SIZE 1280 +/* + * Increase the error buffer size to 256 KB. + */ +#define ERR_BUF_SIZE 262144 // 2^18 #endif struct gc_arena; diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index db88e347911..db86fcd313c 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -2244,7 +2244,7 @@ man_read(struct management *man) /* * read command line from socket */ - unsigned char buf[256]; + unsigned char buf[MANAGEMENT_SOCKET_READ_BUFFER_SIZE]; int len = 0; #ifdef TARGET_ANDROID @@ -2580,7 +2580,7 @@ man_connection_init(struct management *man) * Allocate helper objects for command line input and * command output from/to the socket. */ - man->connection.in = command_line_new(1024); + man->connection.in = command_line_new(COMMAND_LINE_OPTION_BUFFER_SIZE); man->connection.out = buffer_list_new(); /* diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 2ced9083581..6a51a96b8ed 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -58,6 +58,9 @@ #define MANAGEMENT_ECHO_BUFFER_SIZE 100 #define MANAGEMENT_STATE_BUFFER_SIZE 100 +#define COMMAND_LINE_OPTION_BUFFER_SIZE OPTION_PARM_SIZE +#define MANAGEMENT_SOCKET_READ_BUFFER_SIZE OPTION_PARM_SIZE + /* * Management-interface-based deferred authentication */ diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index b000b729a18..eb9769360f3 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -65,7 +65,10 @@ struct user_pass #ifdef ENABLE_PKCS11 #define USER_PASS_LEN 4096 #else -#define USER_PASS_LEN 128 +/* + * Increase the username and password length size to 128KB. + */ +#define USER_PASS_LEN 131072 // 2^17 #endif /* Note that username and password are expected to be null-terminated */ char username[USER_PASS_LEN]; diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 7df717f73f6..18697f8f070 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -54,8 +54,8 @@ /* * Max size of options line and parameter. */ -#define OPTION_PARM_SIZE 256 -#define OPTION_LINE_SIZE 256 +#define OPTION_PARM_SIZE USER_PASS_LEN +#define OPTION_LINE_SIZE OPTION_PARM_SIZE extern const char title_string[]; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 78cec90a1c5..d4f02aa2516 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1914,7 +1914,7 @@ key_state_soft_reset(struct tls_session *session) static bool write_empty_string(struct buffer *buf) { - if (!buf_write_u16(buf, 0)) + if (!buf_write_u32(buf, 0)) { return false; } @@ -1929,7 +1929,7 @@ write_string(struct buffer *buf, const char *str, const int maxlen) { return false; } - if (!buf_write_u16(buf, len)) + if (!buf_write_u32(buf, len)) { return false; } @@ -2269,6 +2269,10 @@ key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_sessi p2p_mode_ncp(multi, session); } + // Write key length in the first 4 octets of the buffer. + uint32_t length = BLEN(buf); + memcpy(buf->data, &length, sizeof(length)); + return true; error: