Skip to content

Commit fa61fe4

Browse files
alandekokalandekok
committed
complain if we get the wrong code in a response.
But we still accept and process it, as the signature is correct.
1 parent 0a47d7e commit fa61fe4

1 file changed

Lines changed: 38 additions & 3 deletions

File tree

src/main/process.c

Lines changed: 38 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3005,6 +3005,23 @@ static void mark_home_server_alive(REQUEST *request, home_server_t *home)
30053005
request->proxy->dst_port);
30063006
}
30073007

3008+
/*
3009+
* If we have a reply, what should the request have been?
3010+
*/
3011+
static const unsigned int reply2request[FR_MAX_PACKET_CODE] = {
3012+
[PW_CODE_ACCESS_ACCEPT] = PW_CODE_ACCESS_REQUEST,
3013+
[PW_CODE_ACCESS_CHALLENGE] = PW_CODE_ACCESS_REQUEST,
3014+
[PW_CODE_ACCESS_REJECT] = PW_CODE_ACCESS_REQUEST,
3015+
3016+
[PW_CODE_ACCOUNTING_RESPONSE] = PW_CODE_ACCOUNTING_REQUEST,
3017+
3018+
[PW_CODE_COA_ACK] = PW_CODE_COA_REQUEST,
3019+
[PW_CODE_COA_NAK] = PW_CODE_COA_REQUEST,
3020+
3021+
[PW_CODE_DISCONNECT_ACK] = PW_CODE_DISCONNECT_REQUEST,
3022+
[PW_CODE_DISCONNECT_NAK] = PW_CODE_DISCONNECT_REQUEST,
3023+
};
3024+
30083025

30093026
int request_proxy_reply(RADIUS_PACKET *packet)
30103027
{
@@ -3035,9 +3052,9 @@ int request_proxy_reply(RADIUS_PACKET *packet)
30353052
PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
30363053

30373054
/*
3038-
* No reply, BUT the current packet fails verification:
3039-
* ignore it. This does the MD5 calculations in the
3040-
* server core, but I guess we can fix that later.
3055+
* No previous reply, check if the packet is OK. This
3056+
* does the MD5 calculations in the worker thread, which
3057+
* we should fix later.
30413058
*/
30423059
if (!request->proxy_reply) {
30433060
decode_fail_t reason;
@@ -3066,6 +3083,24 @@ int request_proxy_reply(RADIUS_PACKET *packet)
30663083
return 0;
30673084
}
30683085

3086+
/*
3087+
* Any request can get a Protocol-Error reply.
3088+
*
3089+
* Status-Server can get any reply.
3090+
*
3091+
* Other requests should receive the correct reply.
3092+
*/
3093+
if ((packet->code != PW_CODE_PROTOCOL_ERROR) &&
3094+
(request->proxy->code != PW_CODE_STATUS_SERVER)) {
3095+
if (reply2request[packet->code] != request->proxy->code) {
3096+
RERROR("Proxy sent %s and received unexpected %s in response.",
3097+
fr_packet_codes[request->proxy->code], fr_packet_codes[packet->code]);
3098+
REDEBUG("Please update the home server to send the correct code.");
3099+
REDEBUG("The Response Authenticator is correct, so we are processing the packet.");
3100+
REDEBUG("However, the server is likely to do the wrong thing with the wrong response code.");
3101+
}
3102+
}
3103+
30693104
/*
30703105
* BlastRADIUS checks. We're running in the main
30713106
* listener thread, so there's no conflict

0 commit comments

Comments
 (0)