From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Thu, 24 Jun 2021 20:34:15 +0000 (-0500)
Subject: Not having a matching state entry is not an error!
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e24efbfc63263674d09c7b152c094e0b838f43f3;p=thirdparty%2Ffreeradius-server.git

Not having a matching state entry is not an error!
---

diff --git a/src/lib/server/state.c b/src/lib/server/state.c
index 130c00d9e7b..9732345a0b8 100644
--- a/src/lib/server/state.c
+++ b/src/lib/server/state.c
@@ -628,10 +628,10 @@ void fr_state_discard(fr_state_tree_t *state, request_t *request)
  * @param[in] state	tree to lookup state in.
  * @param[in] request	to restore state for.
  * @return
- *	- 0 on success (state restored)
+ *	- 2 if the state attribute didn't match any known states.
  *	- 1 if no state attribute existed.
- *	- -1 if a state entry matching the value couldn't be found.
- *	- -2 if a state entry has already been thawed by a another request.
+ *	- 0 on success (state restored)
+ *	- -1 if a state entry has already been thawed by a another request.
  */
 int fr_state_to_request(fr_state_tree_t *state, request_t *request)
 {
@@ -671,8 +671,8 @@ int fr_state_to_request(fr_state_tree_t *state, request_t *request)
 		PTHREAD_MUTEX_UNLOCK(&state->mutex);
 	} else {
 		PTHREAD_MUTEX_UNLOCK(&state->mutex);
-		REDEBUG("No state entry matching &request.%pP found", vp);
-		return -1;
+		RDEBUG2("No state entry matching &request.%pP found", vp);
+		return 2;
 	}
 
 	if (!fr_pair_list_empty(&request->session_state_pairs)) {
diff --git a/src/process/radius/base.c b/src/process/radius/base.c
index 512a232cca4..233fcb17989 100644
--- a/src/process/radius/base.c
+++ b/src/process/radius/base.c
@@ -359,10 +359,9 @@ RECV(access_request)
 	process_radius_t const		*inst = talloc_get_type_abort_const(mctx->instance, process_radius_t);
 
 	/*
-	 *	Requests with invalid state values
-	 *	are extremely unlikely to result
-	 *	in success, so reject them as quickly
-	 *	as we possible.
+	 *	Only reject if the state has already been thawed.
+	 *	It could be that the state value wasn't intended
+	 *	for us, and we're just proxying upstream.
 	 */
 	if (fr_state_to_request(inst->auth.state_tree, request) < 0) {
 		fr_process_state_t const	*state;
diff --git a/src/process/ttls/base.c b/src/process/ttls/base.c
index f1b748f46b8..0d20edacb4a 100644
--- a/src/process/ttls/base.c
+++ b/src/process/ttls/base.c
@@ -356,23 +356,6 @@ RECV(access_request)
 {
 	process_ttls_t const		*inst = talloc_get_type_abort_const(mctx->instance, process_ttls_t);
 
-	/*
-	 *	Requests with invalid state values
-	 *	are extremely unlikely to result
-	 *	in success, so reject them as quickly
-	 *	as we possible.
-	 */
-	if (fr_state_to_request(inst->auth.state_tree, request) < 0) {
-		fr_process_state_t const	*state;
-		CONF_SECTION			*cs;
-
-		request->reply->code = FR_RADIUS_CODE_ACCESS_REJECT;
-		UPDATE_STATE_CS(reply);
-		return unlang_module_yield_to_section(p_result, request,
-						      cs, state->rcode, state->send,
-						      NULL, NULL);
-	}
-
 	return CALL_RECV(generic);
 }