Skip to content

[defect]: rlm_cache return code mismatch with Cache-Read-Only and Cache-Status-Only in 3.2.X #5627

New issue
New issue
Open
Open
[defect]: rlm_cache return code mismatch with Cache-Read-Only and Cache-Status-Only in 3.2.X#5627
Labels
defectcategory: a defect or misbehaviourv3.2.xmeta: relates to the v3.2.x branch
@simeononsecurity

Description

@simeononsecurity
simeononsecurity
opened on Jul 25, 2025

What type of defect/bug is this?

Unexpected behaviour (obvious or verified by project member)

How can the issue be reproduced?

1.	Define a cache module using rlm_cache_rbtree with a standard update block to populate session-state attributes (e.g., Custom OpenRoaming flags).
2.	Use Cache-Read-Only := "yes" in the control list before calling the cache module.
3.	Observe the module behavior using debug logs (radiusd -X).
4.	Despite the cache returning data and merging into the request (as confirmed in the logs), the module returns ok instead of updated.

Sample Unlang:

update control {
    &Cache-Read-Only := "yes"
}
cache_realm_flags_local

if (!updated) {
    # This executes even though merge happened
    -realm_gate_flags
}

Log output from the FreeRADIUS daemon

cache_realm_flags_local: Merging cache entry into request
[cache_realm_flags_local] = ok
if (!updated) -> TRUE

Expected: updated
Actual: ok

Additional context

The module documentation in mods-available/cache explicitly says:

If Cache-Read-Only is set:
• Return updated if a cache entry was found
• Return notfound if no entry was found

This behavior is not matching what’s implemented (at least in 3.2.7), where merging occurs but return code is still ok.

This might be:
• A bug (i.e., the module should return updated), or
• A docs issue (if ok is now the intended behavior)

We are reporting it as a defect unless confirmed otherwise.

✅ Tested in 3.2.7

Log output from the FreeRADIUS daemon

(437) cache_realm_flags_local: EXPAND %{NAS-Identifier}
(437) cache_realm_flags_local:    --> [REDACTED_NASID]
(437) cache_realm_flags_local: Mutex acquired
(437) cache_realm_flags_local: Found entry for "[REDACTED_NASID]"
(437) cache_realm_flags_local: Merging cache entry into request
(437) cache_realm_flags_local: Mutex released
(437)         modsingle[authorize]: returned from cache_realm_flags_local (rlm_cache)
(437)         [cache_realm_flags_local] = ok
(437)         if (!updated) {
(437)         if (!updated)  -> TRUE

Relevant log output from client utilities

N/A

Backtrace from LLDB or GDB

N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    defectcategory: a defect or misbehaviourv3.2.xmeta: relates to the v3.2.x branch

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions