From 37aa1ba5345ddaaea82e9eed9e5304af5fa377b1 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Sun, 12 Jun 2022 23:04:50 +0200
Subject: [PATCH] Proto_OpenVPN: Set max allowed ACKs to 8 for P_ACK_V1

OpenVPN always allowed 8 ACKs in P_ACK_V1 packets but only used
up to 4 in other control packets. Since Softether drops all packets with
more than 4 ACKs it also drops legimate P_ACK_V1.

See also this issue: https://github.com/schwabe/ics-openvpn/issues/1486
---
 src/Cedar/Proto_OpenVPN.c | 6 +++++-
 src/Cedar/Proto_OpenVPN.h | 3 ++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/Cedar/Proto_OpenVPN.c b/src/Cedar/Proto_OpenVPN.c
index 9f56def2..ca602db1 100644
--- a/src/Cedar/Proto_OpenVPN.c
+++ b/src/Cedar/Proto_OpenVPN.c
@@ -1902,6 +1902,10 @@ BUF *OvsBuildPacket(OPENVPN_PACKET *p)
 
 	// NumAck
 	num_ack = MIN(p->NumAck, OPENVPN_MAX_NUMACK);
+	if (p->OpCode != OPENVPN_P_ACK_V1)
+	{
+		num_ack = MIN(num_ack, OPENVPN_MAX_NUMACK_NONACK);
+	}
 	WriteBufChar(b, (UCHAR)num_ack);
 
 	if (p->NumAck >= 1)
@@ -1982,7 +1986,7 @@ OPENVPN_PACKET *OvsParsePacket(UCHAR *data, UINT size)
 
 	ret->NumAck = uc;
 
-	if (ret->NumAck > 4)
+	if (ret->NumAck > OPENVPN_MAX_NUMACK)
 	{
 		goto LABEL_ERROR;
 	}
diff --git a/src/Cedar/Proto_OpenVPN.h b/src/Cedar/Proto_OpenVPN.h
index cc723df0..0ca10f0b 100644
--- a/src/Cedar/Proto_OpenVPN.h
+++ b/src/Cedar/Proto_OpenVPN.h
@@ -14,7 +14,8 @@
 #define	OPENVPN_UDP_PORT						1194	// OpenVPN default UDP port number
 #define	OPENVPN_UDP_PORT_INCLUDE				1195	// OpenVPN default UDP port number (Operating within the client)
 
-#define	OPENVPN_MAX_NUMACK						4		// The maximum number of ACKs
+#define	OPENVPN_MAX_NUMACK						8		// The maximum number of ACKs
+#define	OPENVPN_MAX_NUMACK_NONACK					4		// The maximum number of ACKs in != P_ACK_V1
 #define	OPENVPN_NUM_CHANNELS					8		// Maximum number of channels during a session
 #define	OPENVPN_CONTROL_PACKET_RESEND_INTERVAL	500		// Control packet retransmission interval
 #define	OPENVPN_CONTROL_PACKET_MAX_DATASIZE		1200	// Maximum data size that can be stored in one control packet