Can't verify fake dynamic client lookup packet as there is no shared secret yet

author Nick Porter <nick@portercomputing.co.uk>

Mon, 26 Jun 2023 13:04:41 +0000 (14:04 +0100)

committer Nick Porter <nick@portercomputing.co.uk>

Mon, 26 Jun 2023 13:04:41 +0000 (14:04 +0100)
author Nick Porter <nick@portercomputing.co.uk>
Mon, 26 Jun 2023 13:04:41 +0000 (14:04 +0100)
committer Nick Porter <nick@portercomputing.co.uk>
Mon, 26 Jun 2023 13:04:41 +0000 (14:04 +0100)
diff --git a/src/listen/radius/proto_radius.c b/src/listen/radius/proto_radius.c

index 03fa33ef433f6af69ea0473d3e4e3bf9afb90901..74bf2a5a0def55ae4099152848f762d4a8a46d3c 100644 (file)
--- a/src/listen/radius/proto_radius.c
+++ b/src/listen/radius/proto_radius.c
@@ -214,7 +214,12 @@ static int mod_decode(UNUSED void const *instance, request_t *request, uint8_t *
  
         client = address->radclient;
  
-       if (fr_radius_verify(data, NULL, (uint8_t const *) client->secret, talloc_array_length(client->secret) - 1,
+       /*
+        *      !client->active means a fake packet defining a dynamic client - so there will
+        *      be no secret defined yet - so can't verify.
+        */
+       if (client->active &&
+           fr_radius_verify(data, NULL, (uint8_t const *) client->secret, talloc_array_length(client->secret) - 1,
                              client->message_authenticator) < 0) {
                 RPEDEBUG("Failed verifying packet signature.");
                 return -1;
author	Nick Porter <nick@portercomputing.co.uk>
	Mon, 26 Jun 2023 13:04:41 +0000 (14:04 +0100)
committer	Nick Porter <nick@portercomputing.co.uk>
	Mon, 26 Jun 2023 13:04:41 +0000 (14:04 +0100)