From e6df0b6635b11d6f3c0fa85e9d5e82b12ef0c962 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Fri, 17 Mar 2023 09:40:19 -0400
Subject: [PATCH] disallow CoA for fake packets.  Fixes #4929

The CoA handling in process.c requires that the CoA packet be
associated with a "real" request.  i.e. one that was received from
the network, and is therefore long-lived.

"fake" packets, such as ones sent to a virtual home server, or
packets used in the "inner-tunnel" virtual server can't do CoA.

This is because the fake packets are freed immediately after they
are processed, and there is no way for them to push the CoA child
into the main event loop.
---
 src/main/map.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/main/map.c b/src/main/map.c
index a1464e3de5..ffee770fff 100644
--- a/src/main/map.c
+++ b/src/main/map.c
@@ -1108,6 +1108,11 @@ int map_to_request(REQUEST *request, vp_map_t const *map, radius_map_getvalue_t
 	 */
 	if (((map->lhs->tmpl_list == PAIR_LIST_COA) ||
 	     (map->lhs->tmpl_list == PAIR_LIST_DM)) && !request->coa) {
+		if (request->parent) {
+			REDEBUG("You can only do 'update coa' when processing a packet which was received from the network");
+			return -2;
+		}
+
 		if ((request->packet->code == PW_CODE_COA_REQUEST) ||
 		    (request->packet->code == PW_CODE_DISCONNECT_REQUEST)) {
 			REDEBUG("You cannot do 'update coa' when processing a CoA / Disconnect request.  Use 'update request' instead.");
-- 
2.47.2