From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 23 Jan 2024 19:23:41 +0000 (-0500)
Subject: make reply checks more stringent
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3926df556c4b9220882b151d532620463e889cd6;p=thirdparty%2Ffreeradius-server.git

make reply checks more stringent
---

diff --git a/src/modules/rlm_radius/rlm_radius_udp.c b/src/modules/rlm_radius/rlm_radius_udp.c
index 9fba7b86052..f437580f1a4 100644
--- a/src/modules/rlm_radius/rlm_radius_udp.c
+++ b/src/modules/rlm_radius/rlm_radius_udp.c
@@ -1167,6 +1167,27 @@ static decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *res
 
 	RHEXDUMP3(data, packet_len, "Read packet");
 
+	code = data[0];
+	if (!allowed_replies[code]) {
+		REDEBUG("%s packet received unknown reply code %s",
+			fr_radius_packet_names[u->code], fr_radius_packet_names[code]);
+		return DECODE_FAIL_UNKNOWN_PACKET_CODE;
+	}
+
+	/*
+	 *	Protocol error can reply to any packet.
+	 *
+	 *	Status-Server can get any reply.
+	 *
+	 *	Otherwise the reply code must be associated with the request code we sent.
+	 */
+	if ((code != FR_RADIUS_CODE_PROTOCOL_ERROR) && (u->code != FR_RADIUS_CODE_STATUS_SERVER) &&
+	    (allowed_replies[code] != u->code)) {
+		REDEBUG("%s packet received invalid reply code %s",
+			fr_radius_packet_names[u->code], fr_radius_packet_names[code]);
+		return DECODE_FAIL_UNKNOWN_PACKET_CODE;
+	}
+
 	original[0] = u->code;
 	original[1] = 0;			/* not looked at by fr_radius_verify() */
 	original[2] = 0;
@@ -1179,27 +1200,6 @@ static decode_fail_t decode(TALLOC_CTX *ctx, fr_pair_list_t *reply, uint8_t *res
 		return DECODE_FAIL_MA_INVALID;
 	}
 
-	code = data[0];
-	if (!allowed_replies[code]) {
-		REDEBUG("%s packet received invalid reply code %s",
-			fr_radius_packet_names[u->code], fr_radius_packet_names[code]);
-		return DECODE_FAIL_UNKNOWN_PACKET_CODE;
-	}
-
-	/*
-	 *	Protocol error is allowed as a response to any
-	 *	packet code.
-	 *
-	 *	Status checks accept any response code.
-	 */
-	if (!u->status_check && (code != FR_RADIUS_CODE_PROTOCOL_ERROR)) {
-		if (allowed_replies[code] != (fr_radius_packet_code_t) u->code) {
-			REDEBUG("%s packet received invalid reply code %s",
-				fr_radius_packet_names[u->code], fr_radius_packet_names[code]);
-			return DECODE_FAIL_UNKNOWN_PACKET_CODE;
-		}
-	}
-
 	/*
 	 *	Decode the attributes, in the context of the reply.
 	 *	This only fails if the packet is strangely malformed,