From 16fc31a84b39de97c589508b4ba553c34b21ec9b Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Fri, 23 Sep 2016 15:29:25 +0100 Subject: [PATCH] Limit netmask on Windows TAP setup to 255.255.255.254 This makes a start on the problems with point-to-point configurations, discussed in https://github.com/openconnect/openconnect-gui/issues/132 Some work is required in vpnc-script-win.js to make the routing do anything useful, but at least it's not now *impossible* to persuade it to pass any traffic. Signed-off-by: David Woodhouse --- tun-win32.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tun-win32.c b/tun-win32.c index a7f2258d..1df3e46a 100644 --- a/tun-win32.c +++ b/tun-win32.c @@ -195,7 +195,12 @@ static intptr_t open_tun(struct openconnect_info *vpninfo, char *guid, char *nam data[0], data[1], data[2]); data[0] = inet_addr(vpninfo->ip_info.addr); - data[2] = inet_addr(vpninfo->ip_info.netmask); + /* Always ensure the netmask is no smaller than /31. This isn't a + * sensible Ethernet netmask, but at least as far as the TAP-Windows + * driver is concerned, it does allow for the existence of *one* other + * host for which ARP replies can be faked, and which we can use as + * the "router". */ + data[2] = inet_addr(vpninfo->ip_info.netmask) & 0xfeffffff; data[1] = data[0] & data[2]; if (!DeviceIoControl(tun_fh, TAP_IOCTL_CONFIG_TUN, -- 2.49.0