reject if we have success + fatal error

diff --git a/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c b/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c
index 2327c70d15765c9ddacc798476b91d56a9af91fc..cf4fd82151facea5977b7538e1f503f55ed0051f 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c
+++ b/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c
@@ -517,7 +517,7 @@ unexpected:
        if (status) {
                if (status == EAP_TEAP_TLV_RESULT_FAILURE) {
                        if (!error) {
-                               REDEBUG("Phase 2: Received Result from peer which indicates failure with error %u.  Rejecting request.", error);
+                               REDEBUG("Phase 2: Received Result TLV from peer which indicates failure with error %u.  Rejecting request.", error);
                        } else {
                                REDEBUG("Phase 2: Received Result from peer which indicates failure.  Rejecting request.");
                        }
@@ -526,11 +526,23 @@ unexpected:
 
                if (status != EAP_TEAP_TLV_RESULT_SUCCESS) {
                unknown_value:
-                       REDEBUG("Phase 2: Received Result from peer with unknown value %u.  Rejecting request.", status);
+                       REDEBUG("Phase 2: Received Result TLV from peer with unknown value %u.  Rejecting request.", status);
                        goto unexpected;
                }
        }
 
+       /*
+        *      Success + fatal Error = Failure
+        *
+        *      A fatal error MUST be accompanied by a Result TLV indicating Failure.  But if the other end
+        *      doesn't do that, we still tear down the session on Success + fatal error.
+        */
+       if ((error >= 2000) && (error <= 2999)) {
+               REDEBUG("Phase 2: Received Error TLV from peer which indicates fatal error %u.  Rejecting request.",
+                       error);
+               return 0;
+       }
+
        /*
         * Check if the peer mixed & matched TLVs.
         */