Limit netmask on Windows TAP setup to 255.255.255.254

This makes a start on the problems with point-to-point configurations,
discussed in https://github.com/openconnect/openconnect-gui/issues/132

Some work is required in vpnc-script-win.js to make the routing do
anything useful, but at least it's not now *impossible* to persuade
it to pass any traffic.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/tun-win32.c b/tun-win32.c
index a7f2258dcb1e083c72818eedfe6481f78939560c..1df3e46afddc4baf70732921e1463386ce743ed2 100644 (file)
--- a/tun-win32.c
+++ b/tun-win32.c
@@ -195,7 +195,12 @@ static intptr_t open_tun(struct openconnect_info *vpninfo, char *guid, char *nam
                     data[0], data[1], data[2]);
 
        data[0] = inet_addr(vpninfo->ip_info.addr);
-       data[2] = inet_addr(vpninfo->ip_info.netmask);
+       /* Always ensure the netmask is no smaller than /31. This isn't a
+        * sensible Ethernet netmask, but at least as far as the TAP-Windows
+        * driver is concerned, it does allow for the existence of *one* other
+        * host for which ARP replies can be faked, and which we can use as
+        * the "router". */
+       data[2] = inet_addr(vpninfo->ip_info.netmask) & 0xfeffffff;
        data[1] = data[0] & data[2];
 
        if (!DeviceIoControl(tun_fh, TAP_IOCTL_CONFIG_TUN,