From 78e504210add19343e65f5c5b80be9ea6e9e95ab Mon Sep 17 00:00:00 2001
From: Kristof Provost <kp@FreeBSD.org>
Date: Wed, 1 Mar 2023 10:18:51 +0100
Subject: [PATCH] options.c: enforce a minimal fragment size

Very low values for 'fragment' can result in a division by zero in
optimal_fragment_size() (because it rounds max_frag_size down with
FRAG_SIZE_ROUND_MASK).

Enforce a minimal fragment size of 68 bytes, based on RFC 791 ("Every
internet module must be able to forward a datagram of 68 octets without
further fragmentation.")

Signed-off-by: Kristof Provost <kprovost@netgate.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230301091851.82243-1-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26313.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/options.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 2e41eea4e..45d0e0fa8 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -6549,6 +6549,12 @@ add_option(struct options *options,
         VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
         options->ce.fragment = positive_atoi(p[1]);
 
+        if (options->ce.fragment < 68)
+        {
+            msg(msglevel, "--fragment needs to be at least 68");
+            goto err;
+        }
+
         if (p[2] && streq(p[2], "mtu"))
         {
             options->ce.fragment_encap = true;
-- 
2.47.3