Only add packet to oNCP control queue with nc and pulse protocols

Don't add packets to the oNCP control queue if not using Juniper
Network Connect or Pulse Connect Secure protocols otherwise a number
of packets equal to the maximum queue length can be queued and disable
reading from the TUN device for the duration of the VPN connection
because the packets will never get dequeued except when using those
two protocols.

Commit b4f50f8 broke OpenConnect transmitting across the GlobalProtect
protocol with ESP packets when:
1. The tun device has an IPv6 address (eg link local).
2. IPv6 packets (eg router solicitation) are transmitted in quantity
   equal to maximum queue length.

[dwmw2: Check the udp_send_probes function insted of two string compares]
Signed-off-by: Corey Wright <cwright@digitalocean.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/esp.c b/esp.c
index 2f2c0da307fb2d6a9d0264e5d8530b7aaab1882e..42c51c3ecc2494678184b4afd300fb0b33c0b250 100644 (file)
--- a/esp.c
+++ b/esp.c
@@ -302,27 +302,30 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
                        this = vpninfo->deflate_pkt;
                        len = this->len;
                } else {
-                       uint8_t dontsend;
-
                        this = dequeue_packet(&vpninfo->outgoing_queue);
                        if (!this)
                                break;
 
-                       /* Pulse can only accept ESP of the same protocol as the one you
-                        * connected to it with. The other has to go over IF-T/TLS. */
-                       if (vpninfo->dtls_addr->sa_family == AF_INET6)
-                               dontsend = 0x40;
-                       else
-                               dontsend = 0x60;
-
-                       if ( (this->data[0] & 0xf0) == dontsend) {
-                               store_be32(&this->pulse.vendor, 0xa4c);
-                               store_be32(&this->pulse.type, 4);
-                               store_be32(&this->pulse.len, this->len + 16);
-                               queue_packet(&vpninfo->oncp_control_queue, this);
-                               work_done = 1;
-                               continue;
+                       if (vpninfo->proto->udp_send_probes == oncp_esp_send_probes) {
+                               uint8_t dontsend;
+
+                               /* Pulse/NC can only accept ESP of the same protocol as the one
+                                * you connected to it with. The other has to go over IF-T/TLS. */
+                               if (vpninfo->dtls_addr->sa_family == AF_INET6)
+                                       dontsend = 0x40;
+                               else
+                                       dontsend = 0x60;
+
+                               if ( (this->data[0] & 0xf0) == dontsend) {
+                                       store_be32(&this->pulse.vendor, 0xa4c);
+                                       store_be32(&this->pulse.type, 4);
+                                       store_be32(&this->pulse.len, this->len + 16);
+                                       queue_packet(&vpninfo->oncp_control_queue, this);
+                                       work_done = 1;
+                                       continue;
+                               }
                        }
+
                        len = construct_esp_packet(vpninfo, this, 0);
                        if (len < 0) {
                                /* Should we disable ESP? */