From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Fri, 9 Jun 2023 15:31:04 +0000 (-0400)
Subject: radius: Don't add proxy state if there's already proxy state attributes in the reponse.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51d6aa5d7ca2cc86c7ec976b8e66f4a14c3263a1;p=thirdparty%2Ffreeradius-server.git

radius: Don't add proxy state if there's already proxy state attributes in the reponse.
---

diff --git a/src/process/radius/base.c b/src/process/radius/base.c
index 86b5a7e2816..86e5204fe38 100644
--- a/src/process/radius/base.c
+++ b/src/process/radius/base.c
@@ -408,6 +408,22 @@ void radius_request_pairs_to_reply(request_t *request, process_radius_request_pa
 {
 	if (!rctx) return;
 
+	if (fr_pair_find_by_da(&request->reply_pairs, NULL, attr_proxy_state)) {
+		/*
+		 *	Because we send Proxy-State to upstreams, if we
+		 *	include the raw upstream response in our reply,
+		 *	AND add back the proxy states we recorded from
+		 *	the request, then we have too many proxy state
+		 *	attributes!
+		 *
+		 *	There's various other ways this could happen too
+		 *	so it's safer just not to add proxy-state
+		 *	attributes to the reply if they're already
+		 *	present.
+		 */
+		RDEBUG3("Not adding Proxy-Sate attributes, already present");
+		return;
+	}
 	RDEBUG3("Adding Proxy-State attributes from request");
 	RINDENT();
 	fr_value_box_list_foreach(&rctx->proxy_state, proxy_state_value) {