From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 22 Jan 2026 20:44:18 +0000 (-0500)
Subject: discard state on Protocol-Error, too
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=037f2ba61d9e9ffd2ad1f6c314e6c21fee8baa48;p=thirdparty%2Ffreeradius-server.git

discard state on Protocol-Error, too

i.e. if we're sending a Protocol-Error back to the client, then
we can't do anything else with the State attribute
---

diff --git a/src/process/radius/base.c b/src/process/radius/base.c
index 0570e719f7f..223bede80c9 100644
--- a/src/process/radius/base.c
+++ b/src/process/radius/base.c
@@ -125,7 +125,7 @@ typedef struct {
 	CONF_SECTION	*disconnect_nak;
 
 	CONF_SECTION	*do_not_respond;
-	CONF_SECTION	*protocol_error;	/* @todo - allow protocol error as a reject reply? */
+	CONF_SECTION	*protocol_error;
 
 	CONF_SECTION	*new_client;
 	CONF_SECTION	*add_client;
@@ -731,9 +731,10 @@ RESUME(status_server)
 }
 #endif
 
-RESUME(protocol_error)
+RESUME_FLAG(protocol_error,UNUSED,)
 {
 	fr_pair_t 			*vp;
+	process_radius_t const		*inst = talloc_get_type_abort_const(mctx->mi->data, process_radius_t);
 
 	PROCESS_TRACE;
 
@@ -763,6 +764,13 @@ RESUME(protocol_error)
 		}
 	}
 
+	/*
+	 *	Discard any session state associated with the request.
+	 */
+	if (request->packet->code == FR_RADIUS_CODE_ACCESS_REQUEST) {
+		fr_state_discard(inst->auth.state_tree, request);
+	}
+
 	/*
 	 *	And do the generic processing after running a "send" section.
 	 */