From: Alan T. DeKok Date: Sat, 1 Nov 2025 18:56:40 +0000 (-0400) Subject: warn if Original-Packet-Code is missing, and delete it from the reply X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d4b09eccb6f43cf09e832ff8a01985dbb3f570e;p=thirdparty%2Ffreeradius-server.git warn if Original-Packet-Code is missing, and delete it from the reply it's a link-layer signaling issue. So we can nuke it as soon as we receive it. --- diff --git a/src/modules/rlm_radius/bio.c b/src/modules/rlm_radius/bio.c index b376b2ad3fd..960a4b2968f 100644 --- a/src/modules/rlm_radius/bio.c +++ b/src/modules/rlm_radius/bio.c @@ -1891,37 +1891,37 @@ static void protocol_error_reply(bio_request_t *u, bio_handle_t *h) */ if (attr[0] != attr_extended_attribute_1->attr) continue; - /* - * ATTR + LEN + EXT-Attr + uint32 - */ - if (attr[1] != 7) continue; + /* + * ATTR + LEN + EXT-Attr + uint32 + */ + if (attr[1] != 7) continue; - /* - * See if there's an Original-Packet-Code. - */ - if (attr[2] != (uint8_t)attr_original_packet_code->attr) continue; + /* + * See if there's an Original-Packet-Code. + */ + if (attr[2] != (uint8_t)attr_original_packet_code->attr) continue; - /* - * Has to be an 8-bit number. - */ - if ((attr[3] != 0) || - (attr[4] != 0) || - (attr[5] != 0)) { - u->rcode = RLM_MODULE_FAIL; - return; - } + /* + * Has to be an 8-bit number. + */ + if ((attr[3] != 0) || + (attr[4] != 0) || + (attr[5] != 0)) { + u->rcode = RLM_MODULE_FAIL; + return; + } - /* - * The value has to match. We don't - * currently multiplex different codes - * with the same IDs on connections. So - * this check is just for RFC compliance, - * and for sanity. - */ - if (attr[6] != u->code) { - u->rcode = RLM_MODULE_FAIL; - return; - } + /* + * The value has to match. We don't + * currently multiplex different codes + * with the same IDs on connections. So + * this check is just for RFC compliance, + * and for sanity. + */ + if (attr[6] != u->code) { + u->rcode = RLM_MODULE_FAIL; + return; + } } /* @@ -2134,6 +2134,7 @@ static void request_demux(UNUSED fr_event_list_t *el, trunk_connection_t *tconn, switch (code) { case FR_RADIUS_CODE_PROTOCOL_ERROR: protocol_error_reply(u, h); + fr_pair_delete_by_da(&request->reply_pairs, NULL, attr_original_packet_code); break; default: