Better fix for EAP loops. Fixes #1311

diff --git a/src/modules/rlm_eap/eap.c b/src/modules/rlm_eap/eap.c
index 8d681692a4e999daadf5287362f25bce17262940..89d23aa31ece224c09124a58299a40a120d4312b 100644 (file)
--- a/src/modules/rlm_eap/eap.c
+++ b/src/modules/rlm_eap/eap.c
@@ -360,10 +360,14 @@ eap_rcode_t eap_method_select(rlm_eap_t *inst, eap_handler_t *handler)
         *      the parent has a home_server defined, then this
         *      request is being processed through a virtual
         *      server... so that's OK.
+        *
+        *      i.e. we're inside an EAP tunnel, which means we have a
+        *      parent.  If the outer session exists, and doesn't have
+        *      a home server, then it's multiple layers of tunneling.
         */
        if (handler->request->parent && 
-           !handler->request->parent->home_server &&
-           handler->request->parent->parent) {
+           handler->request->parent->parent &&
+           !handler->request->parent->parent->home_server) {
                RERROR("Multiple levels of TLS nesting are invalid");
 
                return EAP_INVALID;