From: Nick Porter Date: Fri, 8 Aug 2025 08:08:15 +0000 (+0100) Subject: Ensure limits are checked regardless of restricted source port range X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=c3366d9cbb38ff274e858c53311ebff6e48d32c8;p=thirdparty%2Ffreeradius-server.git Ensure limits are checked regardless of restricted source port range --- diff --git a/src/modules/rlm_radius/rlm_radius.c b/src/modules/rlm_radius/rlm_radius.c index 4f0039bdb9..ad8321a461 100644 --- a/src/modules/rlm_radius/rlm_radius.c +++ b/src/modules/rlm_radius/rlm_radius.c @@ -766,6 +766,19 @@ check_others: return -1; } + /* + * Encorce limits per trunk, due to the 8-bit ID space. + */ + FR_INTEGER_BOUND_CHECK("trunk.per_connection_max", inst->trunk_conf.max_req_per_conn, >=, 2); + FR_INTEGER_BOUND_CHECK("trunk.per_connection_max", inst->trunk_conf.max_req_per_conn, <=, 255); + FR_INTEGER_BOUND_CHECK("trunk.per_connection_target", inst->trunk_conf.target_req_per_conn, <=, inst->trunk_conf.max_req_per_conn / 2); + + /* + * This only applies for XLAT_PROXY, but what the heck. + */ + FR_TIME_DELTA_BOUND_CHECK("home_server_lifetime", inst->home_server_lifetime, >=, fr_time_delta_from_sec(10)); + FR_TIME_DELTA_BOUND_CHECK("home_server_lifetime", inst->home_server_lifetime, <=, fr_time_delta_from_sec(3600)); + /* * No src_port range, we don't need to check any other settings. */ @@ -795,18 +808,6 @@ check_others: return -1; } - /* - * Encorce limits per trunk, due to the 8-bit ID space. - */ - FR_INTEGER_BOUND_CHECK("trunk.per_connection_max", inst->trunk_conf.max_req_per_conn, >=, 2); - FR_INTEGER_BOUND_CHECK("trunk.per_connection_max", inst->trunk_conf.max_req_per_conn, <=, 255); - FR_INTEGER_BOUND_CHECK("trunk.per_connection_target", inst->trunk_conf.target_req_per_conn, <=, inst->trunk_conf.max_req_per_conn / 2); - - /* - * This only applies for XLAT_PROXY, but what the heck. - */ - FR_TIME_DELTA_BOUND_CHECK("home_server_lifetime", inst->home_server_lifetime, >=, fr_time_delta_from_sec(10)); - FR_TIME_DELTA_BOUND_CHECK("home_server_lifetime", inst->home_server_lifetime, <=, fr_time_delta_from_sec(3600)); break; case RLM_RADIUS_MODE_UNCONNECTED_REPLICATE: