From: Nick Porter <nick@portercomputing.co.uk>
Date: Mon, 26 Jun 2023 13:04:41 +0000 (+0100)
Subject: Can't verify fake dynamic client lookup packet as there is no shared secret yet
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=185121a256d0304c296bb8d26fb5b0df55f4dedf;p=thirdparty%2Ffreeradius-server.git

Can't verify fake dynamic client lookup packet as there is no shared secret yet
---

diff --git a/src/listen/radius/proto_radius.c b/src/listen/radius/proto_radius.c
index 03fa33ef433..74bf2a5a0de 100644
--- a/src/listen/radius/proto_radius.c
+++ b/src/listen/radius/proto_radius.c
@@ -214,7 +214,12 @@ static int mod_decode(UNUSED void const *instance, request_t *request, uint8_t *
 
 	client = address->radclient;
 
-	if (fr_radius_verify(data, NULL, (uint8_t const *) client->secret, talloc_array_length(client->secret) - 1,
+	/*
+	 *	!client->active means a fake packet defining a dynamic client - so there will
+	 *	be no secret defined yet - so can't verify.
+	 */
+	if (client->active &&
+	    fr_radius_verify(data, NULL, (uint8_t const *) client->secret, talloc_array_length(client->secret) - 1,
 			     client->message_authenticator) < 0) {
 		RPEDEBUG("Failed verifying packet signature.");
 		return -1;