commit 08f735e881d314f5b38b55cbc8a9d7abdb9b18f8

Author: Paul Wouters <pwouters@redhat.com>

Date:   Sun Jul 14 13:27:39 2013 -0400

    pluto: work around for Cisco VPN clients sending extraneous bytes

diff --git a/programs/pluto/demux.c b/programs/pluto/demux.c

index cc4be99..1ae2f40 100644

--- a/programs/pluto/demux.c

+++ b/programs/pluto/demux.c

@@ -146,12 +146,29 @@ void process_packet(struct msg_digest **mdp)

 		}

 	}

-	if (md->packet_pbs.roof != md->message_pbs.roof) {

+	if (md->packet_pbs.roof < md->message_pbs.roof) {

 		libreswan_log(

-			"size (%u) differs from size specified in ISAKMP HDR (%u)",

-			(unsigned) pbs_room(

-				&md->packet_pbs), md->hdr.isa_length);

+			"received packet size (%u) is smaller than from "

+			"size specified in ISAKMP HDR (%u) - packet dropped",

+			(unsigned) pbs_room(&md->packet_pbs),

+			md->hdr.isa_length);

+		/* abort processing corrupt packet */

 		return;

+	} else if (md->packet_pbs.roof > md->message_pbs.roof) {

+		/*

+		 * Some (old?) versions of the Cisco VPN client send an additional

+		 * 16 bytes of zero bytes - Complain but accept it

+		 */

+		DBG(DBG_CONTROL, {

+			DBG_log(

+			"size (%u) in received packet is larger than the size "

+			"specified in ISAKMP HDR (%u) - ignoring extraneous bytes",

+			(unsigned) pbs_room(&md->packet_pbs),

+			md->hdr.isa_length);

+			DBG_dump("extraneous bytes:", md->message_pbs.roof,

+				md->packet_pbs.roof - md->message_pbs.roof);

+		/* continue */

+		});

 	}

 	maj = (md->hdr.isa_version >> ISA_MAJ_SHIFT);