From 31c99882c69519dd8b8cf8b6b01f029bca0e1a0b Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Wed, 7 Apr 2021 13:11:33 -0400 Subject: [PATCH] close connection on "no TLS data, but connection isn't set up" --- src/main/tls_listen.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/src/main/tls_listen.c b/src/main/tls_listen.c index aff4cde93a..2e35f2e0ef 100644 --- a/src/main/tls_listen.c +++ b/src/main/tls_listen.c @@ -254,6 +254,7 @@ static int tls_socket_recv(rad_listen_t *listener) goto do_close; } +check_for_setup: /* * More ACK data to send. Do so. */ @@ -273,9 +274,24 @@ static int tls_socket_recv(rad_listen_t *listener) * order to see if we like the certificate * presented by the client. */ -check_for_setup: if (sock->state == LISTEN_TLS_INIT) { - rad_assert(SSL_is_init_finished(sock->ssn->ssl)); + /* + * If INIT isn't finished, but there's no data, + * just close the connection. The other end is + * being unfriendly. + */ + if (!SSL_is_init_finished(sock->ssn->ssl)) { + listener->status = RAD_LISTEN_STATUS_REMOVE_NOW; + listener->tls = NULL; /* parent owns this! */ + PTHREAD_MUTEX_UNLOCK(&sock->mutex); + + /* + * Tell the event handler that an FD has disappeared. + */ + radius_update_listener(listener); + return 0; + } + sock->ssn->is_init_finished = true; if (!listener->check_client_connections) { sock->state = LISTEN_TLS_RUNNING; -- 2.47.2