Accepting request 80093 from network:dhcp

bnc#712653,bnc#712438,bnc#711420,bnc#700771,bnc#697279,bnc#714004 OBS-URL: https://build.opensuse.org/request/show/80093 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dhcp?expand=0&rev=59
2011-08-31 08:47:42 +00:00 · 2011-08-31 08:47:42 +00:00 · 76fa77e20f
commit 76fa77e20f
parent e7f141d918 209e98a28b
19 changed files with 769 additions and 289 deletions
--- a/7
+++ b/7
@ -400,8 +400,8 @@ ARPCHECK|ARPSEND)
 BOUND|RENEW|REBIND|REBOOT)
  ####################################################################
-  if [ x$old_ip_address != x -a x$alias_ip_address != x ] && \
+  if [ x$alias_ip_address != x -a x$alias_ip_address != x$old_ip_address -a \
-     [ x$alias_ip_address != x$old_ip_address ] ;
+       x$new_ip_address != x$old_ip_address ] ;
  then
    # Possible new alias. Remove old alias.
    /sbin/ip addr del $alias_ip_address/$alias_subnet_mask dev $interface
@ -426,7 +426,8 @@ BOUND|RENEW|REBIND|REBOOT)
    set_ipv4_routes
  fi
-  if [ x$new_ip_address != x$alias_ip_address -a x$alias_ip_address != x ];
+  if [ x$new_ip_address != x$alias_ip_address -a x$alias_ip_address != x \
    -a x$new_ip_address != x$old_ip_address ];
  then
    /sbin/ip addr add $alias_ip_address/$alias_subnet_mask \
                      dev $interface
--- a/dhcp-4.1.1-P1-relay-no-ip-on-interface.diff
+++ b/dhcp-4.1.1-P1-relay-no-ip-on-interface.diff
@ -1,31 +0,0 @@
 From 4509d956715297469469ab0e207c2641f521470d Mon Sep 17 00:00:00 2001
 From: Marius Tomaschewski <mt@suse.de>
 Date: Fri, 29 Oct 2010 18:49:06 +0200
 Subject: [PATCH] dhcp-4.1.1-P1-relay-no-ip-on-interface
 Fix for a dhcrelay segfault while receiving packets on interfaces
 without any IPv4 address assigned (bnc#631305, [ISC-Bugs #22409]).
 Signed-off-by: Marius Tomaschewski <mt@suse.de>
 ---
 relay/dhcrelay.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)
 diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c
 index 11676ae..c375c83 100644
 --- a/relay/dhcrelay.c
 +++ b/relay/dhcrelay.c
@@ -565,6 +565,10 @@ do_relay4(struct interface_info *ip, struct dhcp_packet *packet,
 		log_info("Discarding packet with invalid hlen.");
 		return;
 	}
 +	if (ip->address_count < 1 || ip->addresses == NULL) {
 +		log_info("Discarding packet from interface without IP address");
 +		return;
 +	}
 	/* Find the interface that corresponds to the giaddr
 	   in the packet. */
 -- 
 1.7.1
--- a/dhcp-4.1.1-in6_pktinfo-prototype.diff
+++ b/dhcp-4.1.1-in6_pktinfo-prototype.diff
@ -1,21 +0,0 @@
 diff --git a/common/socket.c b/common/socket.c
 index 036f7ae..6f56740 100644
 --- a/common/socket.c
 +++ b/common/socket.c
@@ -40,11 +40,16 @@
  * I have implemented it under Linux; other systems should be doable also.
  */
 +#ifndef _GNU_SOURCE
 +#define _GNU_SOURCE
 +#endif
 #include "dhcpd.h"
 #include <errno.h>
 #include <sys/ioctl.h>
 #include <sys/uio.h>
 #include <sys/uio.h>
 +#include <netinet/in.h> /* for struct in6_pktinfo, with glibc >= 2.10.1
 +                           _GNU_SOURCE required to enable it */
 #ifdef USE_SOCKET_FALLBACK
 # if !defined (USE_SOCKET_SEND)
--- a/dhcp-4.2.1-P1-dhclient-option-checks.bnc675052.diff
+++ b/dhcp-4.2.1-P1-dhclient-option-checks.bnc675052.diff
@ -1,77 +0,0 @@
 From 7c0b7ae289a0f25853bd4bb660f3dd34b5c1ce88 Mon Sep 17 00:00:00 2001
 From: Marius Tomaschewski <mt@suse.de>
 Date: Wed, 27 Apr 2011 13:56:47 +0200
 Subject: [PATCH] dhclient string option checks
 Merged dhclient pretty escape and string option checks.
 Use relaxed domain-name option check causing a regression, when the
 server is misusing it to provide a domain list and does not provide
 it via the domain-search option; pretty escape semicolon as well
 (bnc#675052, CVE-2011-0997).
 Signed-off-by: Marius Tomaschewski <mt@suse.de>
 ---
 client/dhclient.c |    8 ++++----
 common/options.c  |    2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)
 diff --git a/client/dhclient.c b/client/dhclient.c
 index 970b935..93db494 100644
 --- a/client/dhclient.c
 +++ b/client/dhclient.c
@@ -3142,7 +3142,7 @@ void script_write_params (client, prefix, lease)
 		} else {
 			log_error("suspect value in %s "
 				  "option - discarded",
 -				  lease->filename);
 +				  "filename");
 		}
 	}
@@ -3155,7 +3155,7 @@ void script_write_params (client, prefix, lease)
 		} else {
 			log_error("suspect value in %s "
 				  "option - discarded",
 -				  lease->server_name);
 +				  "server-name");
 		}
 	}
@@ -4077,7 +4077,7 @@ static int check_domain_name(const char *ptr, size_t len, int dots)
 	const char *p;
 	/* not empty or complete length not over 255 characters   */
 -	if ((len == 0) || (len > 256))
 +	if ((len == 0) || (len >= 256))
 		return(-1);
 	/* consists of [[:alnum:]-]+ labels separated by [.]      */
@@ -4140,11 +4140,11 @@ static int check_option_values(struct universe *universe,
 	if ((universe == NULL) || (universe == &dhcp_universe)) {
 		switch(opt) {
 		      case DHO_HOST_NAME:
 -		      case DHO_DOMAIN_NAME:
 		      case DHO_NIS_DOMAIN:
 		      case DHO_NETBIOS_SCOPE:
 			return check_domain_name(ptr, len, 0);
 			break;
 +		      case DHO_DOMAIN_NAME:  /* accept a list for compatibiliy */
 		      case DHO_DOMAIN_SEARCH:
 			return check_domain_name_list(ptr, len, 0);
 			break;
 diff --git a/common/options.c b/common/options.c
 index c26f88c..8b4be65 100644
 --- a/common/options.c
 +++ b/common/options.c
@@ -3916,7 +3916,7 @@ pretty_escape(char **dst, char *dend, const unsigned char **src,
 			}
 		} else if (**src == '"' || **src == '\'' || **src == '$' ||
 			   **src == '`' || **src == '\\' || **src == '|' ||
 -			   **src == '&') {
 +			   **src == '&' || **src == ';') {
 			if (*dst + 2 > dend)
 				return -1;
 -- 
 1.7.3.4
--- a/dhcp-4.2.1-P1-ldap-patch-mt01.diff.bz2
+++ b/dhcp-4.2.1-P1-ldap-patch-mt01.diff.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:6f1458dc06686ad2c80111f09d1ffc61f0f7feecbd9e693bdc55904a35708608
 size 11461
--- a/dhcp-4.2.1-P1.tar.bz2
+++ b/dhcp-4.2.1-P1.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:cb8e19d01c5ab5de1da759c3fb34e4967e863e78c8d6106d2cbb0ffeaa80df76
 size 8659247
--- a/dhcp-4.2.2-close-on-exec.diff
+++ b/dhcp-4.2.2-close-on-exec.diff
@ -0,0 +1,420 @@
 diff --git a/client/clparse.c b/client/clparse.c
 index 9de4ce2..ca24ba6 100644
 --- a/client/clparse.c
 +++ b/client/clparse.c
@@ -220,7 +220,7 @@ int read_client_conf_file (const char *name, struct interface_info *ip,
 	int token;
 	isc_result_t status;
 -	if ((file = open (name, O_RDONLY)) < 0)
 +	if ((file = open (name, O_RDONLY | O_CLOEXEC)) < 0)
 		return uerr2isc (errno);
 	cfile = NULL;
@@ -257,7 +257,7 @@ void read_client_leases ()
 	/* Open the lease file.   If we can't open it, just return -
 	   we can safely trust the server to remember our state. */
 -	if ((file = open (path_dhclient_db, O_RDONLY)) < 0)
 +	if ((file = open (path_dhclient_db, O_RDONLY | O_CLOEXEC)) < 0)
 		return;
 	cfile = NULL;
 diff --git a/client/dhclient.c b/client/dhclient.c
 index 82c26bb..a1cab01 100644
 --- a/client/dhclient.c
 +++ b/client/dhclient.c
@@ -131,11 +131,11 @@ main(int argc, char **argv) {
 	/* Make sure that file descriptors 0 (stdin), 1, (stdout), and
 	   2 (stderr) are open. To do this, we assume that when we
 	   open a file the lowest available file descriptor is used. */
 -	fd = open("/dev/null", O_RDWR);
 +	fd = open("/dev/null", O_RDWR | O_CLOEXEC);
 	if (fd == 0)
 -		fd = open("/dev/null", O_RDWR);
 +		fd = open("/dev/null", O_RDWR | O_CLOEXEC);
 	if (fd == 1)
 -		fd = open("/dev/null", O_RDWR);
 +		fd = open("/dev/null", O_RDWR | O_CLOEXEC);
 	if (fd == 2)
 		log_perror = 0; /* No sense logging to /dev/null. */
 	else if (fd != -1)
@@ -423,7 +423,7 @@ main(int argc, char **argv) {
 		int e;
 		oldpid = 0;
 -		if ((pidfd = fopen(path_dhclient_pid, "r")) != NULL) {
 +		if ((pidfd = fopen(path_dhclient_pid, "re")) != NULL) {
 			e = fscanf(pidfd, "%ld\n", &temp);
 			oldpid = (pid_t)temp;
@@ -2689,7 +2689,7 @@ void rewrite_client_leases ()
 	if (leaseFile != NULL)
 		fclose (leaseFile);
 -	leaseFile = fopen (path_dhclient_db, "w");
 +	leaseFile = fopen (path_dhclient_db, "we");
 	if (leaseFile == NULL) {
 		log_error ("can't create %s: %m", path_dhclient_db);
 		return;
@@ -2799,7 +2799,7 @@ write_duid(struct data_string *duid)
 		return DHCP_R_INVALIDARG;
 	if (leaseFile == NULL) {	/* XXX? */
 -		leaseFile = fopen(path_dhclient_db, "w");
 +		leaseFile = fopen(path_dhclient_db, "we");
 		if (leaseFile == NULL) {
 			log_error("can't create %s: %m", path_dhclient_db);
 			return ISC_R_IOERROR;
@@ -2847,7 +2847,7 @@ write_client6_lease(struct client_state *client, struct dhc6_lease *lease,
 		return DHCP_R_INVALIDARG;
 	if (leaseFile == NULL) {	/* XXX? */
 -		leaseFile = fopen(path_dhclient_db, "w");
 +		leaseFile = fopen(path_dhclient_db, "we");
 		if (leaseFile == NULL) {
 			log_error("can't create %s: %m", path_dhclient_db);
 			return ISC_R_IOERROR;
@@ -2979,7 +2979,7 @@ int write_client_lease (client, lease, rewrite, makesure)
 		return 1;
 	if (leaseFile == NULL) {	/* XXX */
 -		leaseFile = fopen (path_dhclient_db, "w");
 +		leaseFile = fopen (path_dhclient_db, "we");
 		if (leaseFile == NULL) {
 			log_error ("can't create %s: %m", path_dhclient_db);
 			return 0;
@@ -3472,9 +3472,9 @@ void go_daemon ()
 	close(2);
 	/* Reopen them on /dev/null. */
 -	open("/dev/null", O_RDWR);
 -	open("/dev/null", O_RDWR);
 -	open("/dev/null", O_RDWR);
 +	open("/dev/null", O_RDWR | O_CLOEXEC);
 +	open("/dev/null", O_RDWR | O_CLOEXEC);
 +	open("/dev/null", O_RDWR | O_CLOEXEC);
 	write_client_pid_file ();
 diff --git a/common/bpf.c b/common/bpf.c
 index 8bd5727..7b8f1d4 100644
 --- a/common/bpf.c
 +++ b/common/bpf.c
@@ -94,7 +94,7 @@ int if_register_bpf (info)
 	for (b = 0; 1; b++) {
 		/* %Audit% 31 bytes max. %2004.06.17,Safe% */
 		sprintf(filename, BPF_FORMAT, b);
 -		sock = open (filename, O_RDWR, 0);
 +		sock = open (filename, O_RDWR | O_CLOEXEC, 0);
 		if (sock < 0) {
 			if (errno == EBUSY) {
 				continue;
 diff --git a/common/discover.c b/common/discover.c
 index 1d84219..93a278e 100644
 --- a/common/discover.c
 +++ b/common/discover.c
@@ -421,7 +421,7 @@ begin_iface_scan(struct iface_conf_list *ifaces) {
 	int len;
 	int i;
 -	ifaces->fp = fopen("/proc/net/dev", "r");
 +	ifaces->fp = fopen("/proc/net/dev", "re");
 	if (ifaces->fp == NULL) {
 		log_error("Error opening '/proc/net/dev' to list interfaces");
 		return 0;
@@ -456,7 +456,7 @@ begin_iface_scan(struct iface_conf_list *ifaces) {
 #ifdef DHCPv6
 	if (local_family == AF_INET6) {
 -		ifaces->fp6 = fopen("/proc/net/if_inet6", "r");
 +		ifaces->fp6 = fopen("/proc/net/if_inet6", "re");
 		if (ifaces->fp6 == NULL) {
 			log_error("Error opening '/proc/net/if_inet6' to "
 				  "list IPv6 interfaces; %m");
 diff --git a/common/dlpi.c b/common/dlpi.c
 index b9eb1d3..c044ec6 100644
 --- a/common/dlpi.c
 +++ b/common/dlpi.c
@@ -806,7 +806,7 @@ dlpiopen(const char *ifname) {
 	}
 	*dp = '\0';
 -	return open (devname, O_RDWR, 0);
 +	return open (devname, O_RDWR | O_CLOEXEC, 0);
 }
 /*
 diff --git a/common/nit.c b/common/nit.c
 index 0da9c36..896cbb6 100644
 --- a/common/nit.c
 +++ b/common/nit.c
@@ -81,7 +81,7 @@ int if_register_nit (info)
 	struct strioctl sio;
 	/* Open a NIT device */
 -	sock = open ("/dev/nit", O_RDWR);
 +	sock = open ("/dev/nit", O_RDWR | O_CLOEXEC);
 	if (sock < 0)
 		log_fatal ("Can't open NIT device for %s: %m", info -> name);
 diff --git a/common/resolv.c b/common/resolv.c
 index b29d4cf..d946ccc 100644
 --- a/common/resolv.c
 +++ b/common/resolv.c
@@ -49,7 +49,7 @@ void read_resolv_conf (parse_time)
 	struct domain_search_list *dp, *dl, *nd;
 	isc_result_t status;
 -	if ((file = open (path_resolv_conf, O_RDONLY)) < 0) {
 +	if ((file = open (path_resolv_conf, O_RDONLY | O_CLOEXEC)) < 0) {
 		log_error ("Can't open %s: %m", path_resolv_conf);
 		return;
 	}
 diff --git a/common/upf.c b/common/upf.c
 index fff3949..4f9318e 100644
 --- a/common/upf.c
 +++ b/common/upf.c
@@ -77,7 +77,7 @@ int if_register_upf (info)
 		/* %Audit% Cannot exceed 36 bytes. %2004.06.17,Safe% */
 		sprintf(filename, "/dev/pf/pfilt%d", b);
 -		sock = open (filename, O_RDWR, 0);
 +		sock = open (filename, O_RDWR | O_CLOEXEC, 0);
 		if (sock < 0) {
 			if (errno == EBUSY) {
 				continue;
 diff --git a/dst/dst_api.c b/dst/dst_api.c
 index 8925c66..fa4eb5f 100644
 --- a/dst/dst_api.c
 +++ b/dst/dst_api.c
@@ -437,7 +437,7 @@ dst_s_write_private_key(const DST_KEY *key)
 			     PRIVATE_KEY, PATH_MAX);
 	/* Do not overwrite an existing file */
 -	if ((fp = dst_s_fopen(file, "w", 0600)) != NULL) {
 +	if ((fp = dst_s_fopen(file, "we", 0600)) != NULL) {
 		int nn;
 		if ((nn = fwrite(encoded_block, 1, len, fp)) != len) {
 			EREPORT(("dst_write_private_key(): Write failure on %s %d != %d errno=%d\n",
@@ -494,7 +494,7 @@ dst_s_read_public_key(const char *in_name, const unsigned in_id, int in_alg)
 	 * flags, proto, alg stored as decimal (or hex numbers FIXME).
 	 * (FIXME: handle parentheses for line continuation.)
 	 */
 -	if ((fp = dst_s_fopen(name, "r", 0)) == NULL) {
 +	if ((fp = dst_s_fopen(name, "re", 0)) == NULL) {
 		EREPORT(("dst_read_public_key(): Public Key not found %s\n",
 			 name));
 		return (NULL);
@@ -620,7 +620,7 @@ dst_s_write_public_key(const DST_KEY *key)
 		return (0);
 	}
 	/* create public key file */
 -	if ((fp = dst_s_fopen(filename, "w+", 0644)) == NULL) {
 +	if ((fp = dst_s_fopen(filename, "w+e", 0644)) == NULL) {
 		EREPORT(("DST_write_public_key: open of file:%s failed (errno=%d)\n",
 			 filename, errno));
 		return (0);
@@ -854,7 +854,7 @@ dst_s_read_private_key_file(char *name, DST_KEY *pk_key, unsigned in_id,
 		return (0);
 	}
 	/* first check if we can find the key file */
 -	if ((fp = dst_s_fopen(filename, "r", 0)) == NULL) {
 +	if ((fp = dst_s_fopen(filename, "re", 0)) == NULL) {
 		EREPORT(("dst_s_read_private_key_file: Could not open file %s in directory %s\n",
 			 filename, dst_path[0] ? dst_path :
 			 (char *) getcwd(NULL, PATH_MAX - 1)));
 diff --git a/dst/prandom.c b/dst/prandom.c
 index 4de3fe4..fbbe07c 100644
 --- a/dst/prandom.c
 +++ b/dst/prandom.c
@@ -269,7 +269,7 @@ get_dev_random(u_char *output, unsigned size)
 	s = stat("/dev/random", &st);
 	if (s == 0 && S_ISCHR(st.st_mode)) {
 -		if ((fd = open("/dev/random", O_RDONLY | O_NONBLOCK)) != -1) {
 +		if ((fd = open("/dev/random", O_RDONLY | O_NONBLOCK | O_CLOEXEC)) != -1) {
 			if ((n = read(fd, output, size)) < 0)
 				n = 0;
 			close(fd);
@@ -480,7 +480,7 @@ digest_file(dst_work *work)
 		work->file_digest = dst_free_key(work->file_digest);
 		return (0);
 	}
 -	if ((fp = fopen(name, "r")) == NULL) 
 +	if ((fp = fopen(name, "re")) == NULL) 
 		return (0);
 	for (no = 0; (i = fread(buf, sizeof(*buf), sizeof(buf), fp)) > 0; 
 	     no += i) 
 diff --git a/omapip/trace.c b/omapip/trace.c
 index 9fd3fb5..9c4e11e 100644
 --- a/omapip/trace.c
 +++ b/omapip/trace.c
@@ -141,10 +141,10 @@ isc_result_t trace_begin (const char *filename,
 		return DHCP_R_INVALIDARG;
 	}
 -	traceoutfile = open (filename, O_CREAT | O_WRONLY | O_EXCL, 0600);
 +	traceoutfile = open (filename, O_CREAT | O_WRONLY | O_EXCL | O_CLOEXEC, 0600);
 	if (traceoutfile < 0 && errno == EEXIST) {
 		log_error ("WARNING: Overwriting trace file \"%s\"", filename);
 -		traceoutfile = open (filename, O_WRONLY | O_EXCL | O_TRUNC,
 +		traceoutfile = open (filename, O_WRONLY | O_EXCL | O_TRUNC | O_CLOEXEC,
 				     0600);
 	}
@@ -431,7 +431,7 @@ void trace_file_replay (const char *filename)
 	isc_result_t result;
 	int len;
 -	traceinfile = fopen (filename, "r");
 +	traceinfile = fopen (filename, "re");
 	if (!traceinfile) {
 		log_error("Can't open tracefile %s: %m", filename);
 		return;
 diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c
 index f21f16f..d2aa90e 100644
 --- a/relay/dhcrelay.c
 +++ b/relay/dhcrelay.c
@@ -183,11 +183,11 @@ main(int argc, char **argv) {
 	/* Make sure that file descriptors 0(stdin), 1,(stdout), and
 	   2(stderr) are open. To do this, we assume that when we
 	   open a file the lowest available file descriptor is used. */
 -	fd = open("/dev/null", O_RDWR);
 +	fd = open("/dev/null", O_RDWR | O_CLOEXEC);
 	if (fd == 0)
 -		fd = open("/dev/null", O_RDWR);
 +		fd = open("/dev/null", O_RDWR | O_CLOEXEC);
 	if (fd == 1)
 -		fd = open("/dev/null", O_RDWR);
 +		fd = open("/dev/null", O_RDWR | O_CLOEXEC);
 	if (fd == 2)
 		log_perror = 0; /* No sense logging to /dev/null. */
 	else if (fd != -1)
@@ -540,13 +540,14 @@ main(int argc, char **argv) {
 		if (no_pid_file == ISC_FALSE) {
 			pfdesc = open(path_dhcrelay_pid,
 -				      O_CREAT | O_TRUNC | O_WRONLY, 0644);
 +				      O_CREAT | O_TRUNC | O_WRONLY |
 +				      O_CLOEXEC, 0644);
 			if (pfdesc < 0) {
 				log_error("Can't create %s: %m",
 					  path_dhcrelay_pid);
 			} else {
 -				pf = fdopen(pfdesc, "w");
 +				pf = fdopen(pfdesc, "we");
 				if (!pf)
 					log_error("Can't fdopen %s: %m",
 						  path_dhcrelay_pid);
 diff --git a/server/confpars.c b/server/confpars.c
 index c0742d4..62568e9 100644
 --- a/server/confpars.c
 +++ b/server/confpars.c
@@ -116,7 +116,7 @@ isc_result_t read_conf_file (const char *filename, struct group *group,
 	}
 #endif
 -	if ((file = open (filename, O_RDONLY)) < 0) {
 +	if ((file = open (filename, O_RDONLY | O_CLOEXEC)) < 0) {
 		if (leasep) {
 			log_error ("Can't open lease database %s: %m --",
 				   path_dhcpd_db);
 diff --git a/server/db.c b/server/db.c
 index dc75321..be5db26 100644
 --- a/server/db.c
 +++ b/server/db.c
@@ -1035,7 +1035,7 @@ void db_startup (testp)
 	}
 #endif
 	if (!testp) {
 -		db_file = fopen (path_dhcpd_db, "a");
 +		db_file = fopen (path_dhcpd_db, "ae");
 		if (!db_file)
 			log_fatal ("Can't open %s for append.", path_dhcpd_db);
 		expire_all_pools ();
@@ -1074,7 +1074,7 @@ int new_lease_file ()
 	db_validity = lease_file_is_corrupt;
 	snprintf (newfname, sizeof(newfname), "%s.XXXXXX", path_dhcpd_db);
 -	db_fd = mkstemp (newfname);
 +	db_fd = mkostemp (newfname, O_CLOEXEC);
 	if (db_fd < 0) {
 		log_error ("Can't create new lease file: %m");
 		return 0;
@@ -1083,7 +1083,7 @@ int new_lease_file ()
 		log_error ("Can't fchmod new lease file: %m");
 		goto fail;
 	}
 -	if ((new_db_file = fdopen(db_fd, "w")) == NULL) {
 +	if ((new_db_file = fdopen(db_fd, "we")) == NULL) {
 		log_error("Can't fdopen new lease file: %m");
 		close(db_fd);
 		goto fdfail;
 diff --git a/server/dhcpd.c b/server/dhcpd.c
 index 27e04e4..9233d26 100644
 --- a/server/dhcpd.c
 +++ b/server/dhcpd.c
@@ -274,11 +274,11 @@ main(int argc, char **argv) {
         /* Make sure that file descriptors 0 (stdin), 1, (stdout), and
            2 (stderr) are open. To do this, we assume that when we
            open a file the lowest available file descriptor is used. */
 -        fd = open("/dev/null", O_RDWR);
 +        fd = open("/dev/null", O_RDWR | O_CLOEXEC);
         if (fd == 0)
 -                fd = open("/dev/null", O_RDWR);
 +                fd = open("/dev/null", O_RDWR | O_CLOEXEC);
         if (fd == 1)
 -                fd = open("/dev/null", O_RDWR);
 +                fd = open("/dev/null", O_RDWR | O_CLOEXEC);
         if (fd == 2)
                 log_perror = 0; /* No sense logging to /dev/null. */
         else if (fd != -1)
@@ -809,7 +809,7 @@ main(int argc, char **argv) {
 	 */
 	if (no_pid_file == ISC_FALSE) {
 		/*Read previous pid file. */
 -		if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) {
 +		if ((i = open (path_dhcpd_pid, O_RDONLY | O_CLOEXEC)) >= 0) {
 			status = read(i, pbuf, (sizeof pbuf) - 1);
 			close (i);
 			if (status > 0) {
@@ -828,7 +828,7 @@ main(int argc, char **argv) {
 		}
 		/* Write new pid file. */
 -		i = open(path_dhcpd_pid, O_WRONLY|O_CREAT|O_TRUNC, 0644);
 +		i = open(path_dhcpd_pid, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0644);
 		if (i >= 0) {
 			sprintf(pbuf, "%d\n", (int) getpid());
 			IGNORE_RET (write(i, pbuf, strlen(pbuf)));
@@ -856,9 +856,9 @@ main(int argc, char **argv) {
                 close(2);
                 /* Reopen them on /dev/null. */
 -                open("/dev/null", O_RDWR);
 -                open("/dev/null", O_RDWR);
 -                open("/dev/null", O_RDWR);
 +                open("/dev/null", O_RDWR | O_CLOEXEC);
 +                open("/dev/null", O_RDWR | O_CLOEXEC);
 +                open("/dev/null", O_RDWR | O_CLOEXEC);
                 log_perror = 0; /* No sense logging to /dev/null. */
        		IGNORE_RET (chdir("/"));
 diff --git a/server/ldap.c b/server/ldap.c
 index 68acbbb..77efe26 100644
 --- a/server/ldap.c
 +++ b/server/ldap.c
@@ -1098,7 +1098,7 @@ ldap_start (void)
   if (ldap_debug_file != NULL && ldap_debug_fd == -1)
     {
 -      if ((ldap_debug_fd = open (ldap_debug_file, O_CREAT | O_TRUNC | O_WRONLY,
 +      if ((ldap_debug_fd = open (ldap_debug_file, O_CREAT | O_TRUNC | O_WRONLY | O_CLOEXEC,
                                  S_IRUSR | S_IWUSR)) < 0)
         log_error ("Error opening debug LDAP log file %s: %s", ldap_debug_file,
                    strerror (errno));
 -- 
 1.7.3.4
--- a/dhcp-4.2.2-dhclient-option-checks.bnc675052.diff
+++ b/dhcp-4.2.2-dhclient-option-checks.bnc675052.diff
@ -0,0 +1,47 @@
 diff --git a/client/dhclient.c b/client/dhclient.c
 index 9fd7ccc..82c26bb 100644
 --- a/client/dhclient.c
 +++ b/client/dhclient.c
@@ -3251,7 +3251,7 @@ void script_write_params (client, prefix, lease)
 		} else {
 			log_error("suspect value in %s "
 				  "option - discarded",
 -				  lease->filename);
 +				  "filename");
 		}
 	}
@@ -3264,7 +3264,7 @@ void script_write_params (client, prefix, lease)
 		} else {
 			log_error("suspect value in %s "
 				  "option - discarded",
 -				  lease->server_name);
 +				  "server-name");
 		}
 	}
@@ -4193,7 +4193,7 @@ static int check_domain_name(const char *ptr, size_t len, int dots)
 	const char *p;
 	/* not empty or complete length not over 255 characters   */
 -	if ((len == 0) || (len > 256))
 +	if ((len == 0) || (len >= 256))
 		return(-1);
 	/* consists of [[:alnum:]-]+ labels separated by [.]      */
 diff --git a/common/options.c b/common/options.c
 index 80fd8db..6b95f3b 100644
 --- a/common/options.c
 +++ b/common/options.c
@@ -3916,7 +3916,7 @@ pretty_escape(char **dst, char *dend, const unsigned char **src,
 			}
 		} else if (**src == '"' || **src == '\'' || **src == '$' ||
 			   **src == '`' || **src == '\\' || **src == '|' ||
 -			   **src == '&') {
 +			   **src == '&' || **src == ';') {
 			if (*dst + 2 > dend)
 				return -1;
 -- 
 1.7.3.4
--- a/dhcp-4.2.2-dhclient-send-hostname-rml.diff
+++ b/dhcp-4.2.2-dhclient-send-hostname-rml.diff
@ -1,34 +1,34 @@
 diff --git a/client/dhclient.8 b/client/dhclient.8
-index 7a3c154..e284210 100644
+index 6306b08..1394c38 100644
 --- a/client/dhclient.8
 +++ b/client/dhclient.8
-@@ -64,6 +64,10 @@ dhclient - Dynamic Host Configuration Protocol Client
+@@ -60,6 +60,10 @@ dhclient - Dynamic Host Configuration Protocol Client
- .I port
+ .I LL|LLT
 ]
 [
 +.B -H
 +.I hostname
 +]
 +[
- .B -d
+ .B -p
 .I port
 ]
- [
+@@ -299,6 +303,10 @@ PID file.  When shutdown via this method
-@@ -305,6 +309,10 @@ If a different port is specified on which the client should listen and
+ .B dhclient-script(8)
- transmit, the client will also use a different destination port -
+ will be executed with the specific reason for calling the script set.
 one less than the specified port.
 .TP
 +.BI \-H \ hostname
 +This flag may be used to specify a client hostname that should be sent to
 +the DHCP server. Note, that this option is a SUSE/Novell extension.
 +.TP
- .BI \-s \ server
+ .BI \-p \ port
- Specify the server IP address or fully qualified domain name to use as
+ The UDP port number on which the DHCP client should listen and transmit.
- a destination for DHCP protocol messages before 
+ If unspecified,
 diff --git a/client/dhclient.c b/client/dhclient.c
-index dc19e8b..bd02cc9 100644
+index 9b53f07..9fd7ccc 100644
 --- a/client/dhclient.c
 +++ b/client/dhclient.c
-@@ -110,6 +110,7 @@ main(int argc, char **argv) {
+@@ -119,6 +119,7 @@ main(int argc, char **argv) {
 	int no_dhclient_db = 0;
 	int no_dhclient_pid = 0;
 	int no_dhclient_script = 0;
@ -36,24 +36,30 @@ index dc19e8b..bd02cc9 100644
 #ifdef DHCPv6
 	int local_family_set = 0;
 #endif /* DHCPv6 */
-@@ -220,6 +221,16 @@ main(int argc, char **argv) {
+@@ -231,6 +232,22 @@ main(int argc, char **argv) {
 			if (++i == argc)
 				usage();
 			mockup_relay = argv[i];
 +		} else if (!strcmp (argv[i], "-H")) {
 +			size_t len;
 +			if (++i == argc || !argv[i] || *(argv[i]) == '\0')
 +				usage ();
-+			if (strlen (argv[i]) > HOST_NAME_MAX) {
+			len = strlen (argv[i]);
 +			if (len > HOST_NAME_MAX) {
 +				log_error("-H option host-name string \"%s\" is too long:"
 +				          "maximum length is %d characters",
 +					  argv[i], HOST_NAME_MAX);
 +				exit(1);
 +			} else if(check_domain_name(argv[i], len, 0) != 0) {
 +				log_error("suspect host-name in -H \"%s\"",
 +				          argv[i]);
 +				exit(1);
 +			}
 +			dhclient_hostname = argv [i];
 		} else if (!strcmp(argv[i], "-nw")) {
 			nowait = 1;
 		} else if (!strcmp(argv[i], "-n")) {
-@@ -468,6 +479,32 @@ main(int argc, char **argv) {
+@@ -484,6 +501,35 @@ main(int argc, char **argv) {
 	/* Parse the dhclient.conf file. */
 	read_client_conf();
@ -63,10 +69,12 @@ index dc19e8b..bd02cc9 100644
 +		char buf[HOST_NAME_MAX + 40];
 +		int len;
 +
-+		snprintf (buf, sizeof(buf), "send host-name \"%s\";", dhclient_hostname);
+		snprintf (buf, sizeof(buf), "send host-name \"%s\";",
 +				dhclient_hostname);
 +		len = strlen(buf);
 +
-+		status = new_parse (&cfile, -1, buf, len, "host-name option", 0);
+		status = new_parse (&cfile, -1, buf, len,
 +					"host-name option", 0);
 +		if (status != ISC_R_SUCCESS)
 +			log_fatal ("Cannot parse send host-name statement!");
 +
@ -78,7 +86,8 @@ index dc19e8b..bd02cc9 100644
 +			if (token == END_OF_FILE)
 +				break;
 +
-+			parse_client_statement (cfile, NULL, &top_level_config);
+			parse_client_statement (cfile, NULL,
 +						&top_level_config);
 +		}
 +		end_parse (&cfile);
 +	}
@ -86,19 +95,15 @@ index dc19e8b..bd02cc9 100644
 	/* Parse the lease database. */
 	read_client_leases();
-@@ -676,12 +713,12 @@ static void usage()
+@@ -708,9 +754,9 @@ static void usage()
- 	log_error("Usage: dhclient %s %s",
+ 	log_fatal("Usage: dhclient "
 #ifdef DHCPv6
-		  "[-4|-6] [-SNTP1dvrx] [-nw] [-p <port>] [-D LL|LLT]",
+-		  "[-4|-6] [-SNTP1dvrx] [-nw] [-p <port>] [-D LL|LLT]\n"
-+		  "[-4|-6] [-SNTP1dvrx] [-nw] [-H <hostname>] [-p <port>] [-D LL|LLT]",
+		  "[-4|-6] [-SNTP1dvrx] [-nw] [-H <hostname>] [-p <port>] [-D LL|LLT]\n"
 #else /* DHCPv6 */
-		  "[-1dvrx] [-nw] [-p <port>]",
+-		  "[-1dvrx] [-nw] [-p <port>]\n"
-+		  "[-1dvrx] [-nw] [-H <hostname>] [-p <port>]",
+		  "[-1dvrx] [-nw] [-H <hostname>] [-p <port>]\n"
 #endif /* DHCPv6 */
- 		  "[-s server]");
+ 		  "                [-s server-addr] [-cf config-file] "
-	log_error("                [-cf config-file] [-lf lease-file]%s",
+ 		  "[-lf lease-file]\n"
 +	log_error("                [-cf config-file] [-lf lease-file] %s",
 		  "[-pf pid-file] [-e VAR=val]");
 	log_fatal("                [-sf script-file] [interface]");
 }
--- a/dhcp-4.2.2-ldap-patch-mt01.diff.bz2
+++ b/dhcp-4.2.2-ldap-patch-mt01.diff.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:b113289cbcaf5d9f76892b48a6c8a452f7f2180aab1a06a8acacc49d0fa137a9
 size 11732
--- a/dhcp-4.2.2-man-includes.diff
+++ b/dhcp-4.2.2-man-includes.diff
@ -1,26 +1,28 @@
 diff --git a/dhcpctl/dhcpctl.3 b/dhcpctl/dhcpctl.3
-index 2e1cb8a..ee44755 100644
+index 9aa1851..7497612 100644
 --- a/dhcpctl/dhcpctl.3
 +++ b/dhcpctl/dhcpctl.3
-@@ -425,7 +425,7 @@ that most error checking has been ommitted for brevity.
+@@ -430,8 +430,8 @@ that most error checking has been ommitted for brevity.
 #include <stdio.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
-#include <isc/result.h>
+-#include "omapip/result.h"
-+#include <isc-dhcp/result.h>
+-#include "dhcpctl.h"
- #include <dhcpctl/dhcpctl.h>
+#include <omapip/result.h>
 +#include <dhcpctl/dhcpctl.h>
 int main (int argc, char **argv) {
 	dhcpctl_data_string ipaddrstring = NULL;
 diff --git a/omapip/omapi.3 b/omapip/omapi.3
-index 4673549..8e2503f 100644
+index 4868d7c..23389b0 100644
 --- a/omapip/omapi.3
 +++ b/omapip/omapi.3
-@@ -87,7 +87,7 @@ the lease ends.
+@@ -88,7 +88,7 @@ the lease ends.
 		#include <stdio.h>
 		#include <netinet/in.h>
 -		#include <isc/result.h>
-+		#include <isc-dhcp/result.h>
+		#include <omapip/result.h>
 		#include <dhcpctl/dhcpctl.h>
 		int main (int argc, char **argv) {
--- a/dhcp-4.2.2-quiet-dhclient.bnc711420.diff
+++ b/dhcp-4.2.2-quiet-dhclient.bnc711420.diff
@ -0,0 +1,17 @@
 diff --git a/client/dhclient.c b/client/dhclient.c
 index a1cab01..ff5ede5 100644
 --- a/client/dhclient.c
 +++ b/client/dhclient.c
@@ -444,6 +444,9 @@ main(int argc, char **argv) {
 	} else {
 		log_perror = 0;
 		quiet_interface_discovery = 1;
 +#if !defined(DEBUG)
 +		setlogmask(LOG_UPTO(LOG_NOTICE));
 +#endif
 	}
 	/* If we're given a relay agent address to insert, for testing
 -- 
 1.7.3.4
--- a/dhcp-4.2.0-xen-checksum.patch
+++ b/dhcp-4.2.0-xen-checksum.patch
@ -1,7 +1,8 @@
-diff -up dhcp-4.2.0/common/bpf.c.xen dhcp-4.2.0/common/bpf.c
+diff --git a/common/bpf.c b/common/bpf.c
--- dhcp-4.2.0/common/bpf.c.xen	2009-11-20 02:48:59.000000000 +0100
+index b0ef657..8bd5727 100644
-+++ dhcp-4.2.0/common/bpf.c	2010-07-21 13:51:24.000000000 +0200
+--- a/common/bpf.c
-@@ -485,7 +485,7 @@ ssize_t receive_packet (interface, buf, 
+++ b/common/bpf.c
@@ -485,7 +485,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom)
 		offset = decode_udp_ip_header (interface,
 					       interface -> rbuf,
 					       interface -> rbuf_offset,
@ -10,10 +11,11 @@ diff -up dhcp-4.2.0/common/bpf.c.xen dhcp-4.2.0/common/bpf.c
 		/* If the IP or UDP checksum was bad, skip the packet... */
 		if (offset < 0) {
-diff -up dhcp-4.2.0/common/dlpi.c.xen dhcp-4.2.0/common/dlpi.c
+diff --git a/common/dlpi.c b/common/dlpi.c
--- dhcp-4.2.0/common/dlpi.c.xen	2009-11-20 02:49:00.000000000 +0100
+index 8f2c73d..b9eb1d3 100644
-+++ dhcp-4.2.0/common/dlpi.c	2010-07-21 13:51:24.000000000 +0200
+--- a/common/dlpi.c
-@@ -694,7 +694,7 @@ ssize_t receive_packet (interface, buf, 
+++ b/common/dlpi.c
@@ -693,7 +693,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom)
 	length -= offset;
 #endif
 	offset = decode_udp_ip_header (interface, dbuf, bufix,
@ -22,10 +24,11 @@ diff -up dhcp-4.2.0/common/dlpi.c.xen dhcp-4.2.0/common/dlpi.c
 	/*
 	 * If the IP or UDP checksum was bad, skip the packet...
-diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c
+diff --git a/common/lpf.c b/common/lpf.c
--- dhcp-4.2.0/common/lpf.c.xen	2009-07-23 20:52:19.000000000 +0200
+index 16eecc9..4bdb0f1 100644
-+++ dhcp-4.2.0/common/lpf.c	2010-07-21 13:51:24.000000000 +0200
+--- a/common/lpf.c
-@@ -29,18 +29,33 @@
+++ b/common/lpf.c
@@ -29,19 +29,33 @@
 #include "dhcpd.h"
 #if defined (USE_LPF_SEND) || defined (USE_LPF_RECEIVE)
 #include <sys/ioctl.h>
@ -38,6 +41,7 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c
 #include <linux/if_ether.h>
 +#include <linux/if_packet.h>
 #include <netinet/in_systm.h>
 -#include <net/if_packet.h>
 #include "includes/netinet/ip.h"
 #include "includes/netinet/udp.h"
 #include "includes/netinet/if_ether.h"
@ -59,7 +63,7 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c
 /* Reinitializes the specified interface after an address change.   This
    is not required for packet-filter APIs. */
-@@ -66,10 +81,14 @@ int if_register_lpf (info)
+@@ -67,10 +81,14 @@ int if_register_lpf (info)
 	struct interface_info *info;
 {
 	int sock;
@ -76,7 +80,7 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c
 			   htons((short)ETH_P_ALL))) < 0) {
 		if (errno == ENOPROTOOPT || errno == EPROTONOSUPPORT ||
 		    errno == ESOCKTNOSUPPORT || errno == EPFNOSUPPORT ||
-@@ -84,11 +103,16 @@ int if_register_lpf (info)
+@@ -85,11 +103,16 @@ int if_register_lpf (info)
 		log_fatal ("Open a socket for LPF: %m");
 	}
@ -96,7 +100,7 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c
 		if (errno == ENOPROTOOPT || errno == EPROTONOSUPPORT ||
 		    errno == ESOCKTNOSUPPORT || errno == EPFNOSUPPORT ||
 		    errno == EAFNOSUPPORT || errno == EINVAL) {
-@@ -170,9 +194,18 @@ static void lpf_gen_filter_setup (struct
+@@ -171,9 +194,18 @@ static void lpf_gen_filter_setup (struct interface_info *);
 void if_register_receive (info)
 	struct interface_info *info;
 {
@ -115,32 +119,34 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c
 #if defined (HAVE_TR_SUPPORT)
 	if (info -> hw_address.hbuf [0] == HTYPE_IEEE802)
 		lpf_tr_filter_setup (info);
-@@ -294,7 +327,6 @@ ssize_t send_packet (interface, packet, 
+@@ -295,7 +327,6 @@ ssize_t send_packet (interface, packet, raw, len, from, to, hto)
 	double hh [16];
 	double ih [1536 / sizeof (double)];
 	unsigned char *buf = (unsigned char *)ih;
-	struct sockaddr sa;
+-	struct sockaddr_pkt sa;
 	int result;
 	int fudge;
-@@ -315,15 +347,7 @@ ssize_t send_packet (interface, packet, 
+@@ -316,17 +347,7 @@ ssize_t send_packet (interface, packet, raw, len, from, to, hto)
 				(unsigned char *)raw, len);
 	memcpy (buf + ibufp, raw, len);
 -	/* For some reason, SOCK_PACKET sockets can't be connected,
 -	   so we have to do a sentdo every time. */
 -	memset (&sa, 0, sizeof sa);
-	sa.sa_family = AF_PACKET;
+-	sa.spkt_family = AF_PACKET;
-	strncpy (sa.sa_data,
+-	strncpy ((char *)sa.spkt_device,
-		 (const char *)interface -> ifp, sizeof sa.sa_data);
+-		 (const char *)interface -> ifp, sizeof sa.spkt_device);
 -	sa.spkt_protocol = htons(ETH_P_IP);
 -
 -	result = sendto (interface -> wfdesc,
-			 buf + fudge, ibufp + len - fudge, 0, &sa, sizeof sa);
+-			 buf + fudge, ibufp + len - fudge, 0, 
 -			 (const struct sockaddr *)&sa, sizeof sa);
 +	result = write (interface -> wfdesc, buf + fudge, ibufp + len - fudge);
 	if (result < 0)
 		log_error ("send_packet: %m");
 	return result;
-@@ -340,14 +364,35 @@ ssize_t receive_packet (interface, buf, 
+@@ -343,14 +364,35 @@ ssize_t receive_packet (interface, buf, len, from, hfrom)
 {
 	int length = 0;
 	int offset = 0;
@ -148,6 +154,8 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c
 	unsigned char ibuf [1536];
 	unsigned bufix = 0;
 	unsigned paylen;
 -
 -	length = read (interface -> rfdesc, ibuf, sizeof ibuf);
 +	unsigned char cmsgbuf[CMSG_LEN(sizeof(struct tpacket_auxdata))];
 +	struct iovec iov = {
 +		.iov_base = ibuf,
@ -160,8 +168,7 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c
 +		.msg_controllen = sizeof(cmsgbuf),
 +	};
 +	struct cmsghdr *cmsg;
- 
+
 -	length = read (interface -> rfdesc, ibuf, sizeof ibuf);
 +	length = recvmsg (interface -> rfdesc, &msg, 0);
 	if (length <= 0)
 		return length;
@ -177,7 +184,7 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c
 	bufix = 0;
 	/* Decode the physical header... */
 	offset = decode_hw_header (interface, ibuf, bufix, hfrom);
-@@ -364,7 +409,7 @@ ssize_t receive_packet (interface, buf, 
+@@ -367,7 +409,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom)
 	/* Decode the IP and UDP headers... */
 	offset = decode_udp_ip_header (interface, ibuf, bufix, from,
@ -186,10 +193,11 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c
 	/* If the IP or UDP checksum was bad, skip the packet... */
 	if (offset < 0)
-diff -up dhcp-4.2.0/common/nit.c.xen dhcp-4.2.0/common/nit.c
+diff --git a/common/nit.c b/common/nit.c
--- dhcp-4.2.0/common/nit.c.xen	2009-11-20 02:49:01.000000000 +0100
+index 3822206..0da9c36 100644
-+++ dhcp-4.2.0/common/nit.c	2010-07-21 13:51:24.000000000 +0200
+--- a/common/nit.c
-@@ -369,7 +369,7 @@ ssize_t receive_packet (interface, buf, 
+++ b/common/nit.c
@@ -369,7 +369,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom)
 	/* Decode the IP and UDP headers... */
 	offset = decode_udp_ip_header (interface, ibuf, bufix,
@ -198,9 +206,10 @@ diff -up dhcp-4.2.0/common/nit.c.xen dhcp-4.2.0/common/nit.c
 	/* If the IP or UDP checksum was bad, skip the packet... */
 	if (offset < 0)
-diff -up dhcp-4.2.0/common/packet.c.xen dhcp-4.2.0/common/packet.c
+diff --git a/common/packet.c b/common/packet.c
--- dhcp-4.2.0/common/packet.c.xen	2009-07-23 20:52:20.000000000 +0200
+index 42bca69..fd2d975 100644
-+++ dhcp-4.2.0/common/packet.c	2010-07-21 13:51:24.000000000 +0200
+--- a/common/packet.c
 +++ b/common/packet.c
@@ -211,7 +211,7 @@ ssize_t
 decode_udp_ip_header(struct interface_info *interface,
 		     unsigned char *buf, unsigned bufix,
@ -210,7 +219,7 @@ diff -up dhcp-4.2.0/common/packet.c.xen dhcp-4.2.0/common/packet.c
 {
   unsigned char *data;
   struct ip ip;
-@@ -322,7 +322,7 @@ decode_udp_ip_header(struct interface_in
+@@ -322,7 +322,7 @@ decode_udp_ip_header(struct interface_info *interface,
 					   8, IPPROTO_UDP + ulen))));
   udp_packets_seen++;
@ -219,10 +228,11 @@ diff -up dhcp-4.2.0/common/packet.c.xen dhcp-4.2.0/common/packet.c
 	  udp_packets_bad_checksum++;
 	  if (udp_packets_seen > 4 &&
 	      (udp_packets_seen / udp_packets_bad_checksum) < 2) {
-diff -up dhcp-4.2.0/common/upf.c.xen dhcp-4.2.0/common/upf.c
+diff --git a/common/upf.c b/common/upf.c
--- dhcp-4.2.0/common/upf.c.xen	2009-11-20 02:49:01.000000000 +0100
+index feb82a2..fff3949 100644
-+++ dhcp-4.2.0/common/upf.c	2010-07-21 13:51:24.000000000 +0200
+--- a/common/upf.c
-@@ -320,7 +320,7 @@ ssize_t receive_packet (interface, buf, 
+++ b/common/upf.c
@@ -320,7 +320,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom)
 	/* Decode the IP and UDP headers... */
 	offset = decode_udp_ip_header (interface, ibuf, bufix,
@ -231,15 +241,19 @@ diff -up dhcp-4.2.0/common/upf.c.xen dhcp-4.2.0/common/upf.c
 	/* If the IP or UDP checksum was bad, skip the packet... */
 	if (offset < 0)
-diff -up dhcp-4.2.0/includes/dhcpd.h.xen dhcp-4.2.0/includes/dhcpd.h
+diff --git a/includes/dhcpd.h b/includes/dhcpd.h
--- dhcp-4.2.0/includes/dhcpd.h.xen	2010-07-21 13:38:31.000000000 +0200
+index adf04cc..ded57a9 100644
-+++ dhcp-4.2.0/includes/dhcpd.h	2010-07-21 13:51:24.000000000 +0200
+--- a/includes/dhcpd.h
-@@ -2773,7 +2773,7 @@ ssize_t decode_hw_header PROTO ((struct 
+++ b/includes/dhcpd.h
- 				 unsigned, struct hardware *));
+@@ -2793,7 +2793,7 @@ ssize_t decode_hw_header (struct interface_info *, unsigned char *,
- ssize_t decode_udp_ip_header PROTO ((struct interface_info *, unsigned char *,
+ 			  unsigned, struct hardware *);
 ssize_t decode_udp_ip_header (struct interface_info *, unsigned char *,
 			      unsigned, struct sockaddr_in *,
-				     unsigned, unsigned *));
+-			      unsigned, unsigned *);
-+				     unsigned, unsigned *, int));
+			      unsigned, unsigned *, int);
 /* ethernet.c */
- void assemble_ethernet_header PROTO ((struct interface_info *, unsigned char *,
+ void assemble_ethernet_header (struct interface_info *, unsigned char *,
 -- 
 1.7.3.4
--- a/dhcp-4.2.2.tar.bz2
+++ b/dhcp-4.2.2.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:dfafcabbd4b2f099fd7ae1f9a9f6f2dc472b134ed5b6a391c2f7082dfdc2d8b6
 size 8613758
--- a/dhcp.changes
+++ b/dhcp.changes
@ -1,3 +1,50 @@
 -------------------------------------------------------------------
 Mon Aug 29 15:15:44 UTC 2011 - mt@suse.de
 - Updated to ISC dhcp-4.2.2 release, providing two security fixes
  (CVE-2011-2748,CVE-2011-2749,[ISC-Bugs #24960],bnc#712653), that
  allowed remote attackers to cause a denial of service (a daemon
  exit) via crafted BOOTP packets. Further also DNS update fix to
  detect overlapping pools or misconfigured fixed-address entries,
  that caused a server crash during DNS update and other fixes.
  For a complete list, please see the RELNOTES file provided in
  the package and also available online at http://www.isc.org/.
 - Merged/adopted dhclient option-checks, send-hostname-rml, ldap
  patch, xen-checksum, close-on-exec patches and removed obsolete
  in6_pktinfo-prototype and relay-no-ip-on-interface patches.
 - Moved server pid files into chroot directory even chroot is
  not used and create a link in /var/run, so it can write one
  when started as user without chroot and avoid stop problems
  when the chroot sysconfig setting changed (bnc#712438).
 - Disabled log-info level messages in dhclient(6) quiet mode to
  avoid excessive logging of non-critical messages (bnc#711420).
 - Fixed dhclient-script to not remove alias IP when it didn't
  changed to not wipe out iptables connmark when renewing the
  lease (bnc#700771). Thanks to James Carter for the patch.
 - Fixed DDNS-howto.txt reference in the config file; it has been
  moved to the dhcp-doc package (bnc#697279).
 - Removed GPL licensed files (bind-*/contrib/dbus) from bind.tgz
  to ensure, they're not used to build non-GPL dhcp (bnc#714004).
 - Changed to apply strict-aliasing/RELRO for >= 12.x only
 -------------------------------------------------------------------
 Wed Jul 20 18:53:07 UTC 2011 - crrodriguez@opensuse.org
 - Correct previous change. 
 -------------------------------------------------------------------
 Wed Jul 20 04:45:40 UTC 2011 - crrodriguez@opensuse.org
 - THis is a long running network daemon, link with
   full RELRO security enhancements.
 - remove -fno-strict-aliasing from CFLAGS, no longer needed. 
 -------------------------------------------------------------------
 Tue May 17 03:58:24 UTC 2011 - crrodriguez@opensuse.org
 - Import redhat's patch to open all needed FDs  with O_CLOEXEC
  so they dont leak.
 -------------------------------------------------------------------
 Thu May 12 08:39:03 UTC 2011 - mt@suse.de
--- a/dhcp.spec
+++ b/dhcp.spec
@ -17,7 +17,7 @@
 # norootforbuild
-%define isc_version   4.2.1-P1
+%define isc_version   4.2.2
 %define susefw2dir    %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services
 %define omc_prefix    /usr/share/omc
 %define omc_svcdir    %{omc_prefix}/svcinfo.d
@ -39,8 +39,8 @@ BuildRequires:  dos2unix
 License:        BSD3c(or similar)
 Group:          Productivity/Networking/Boot/Servers
 AutoReqProv:    on
-Version:        4.2.1.P1
+Version:        4.2.2
-Release:        5
+Release:        0
 Summary:        Common Files Used by ISC DHCP Software
 Url:            http://www.isc.org/software/dhcp
 Source0:        dhcp-%{isc_version}.tar.bz2
@ -75,18 +75,18 @@ Patch10:        dhcp-4.1.1-default-paths.diff
 # paranoia patch is included now, but not the
 # additional patch by thomas@suse.de not ...
 Patch11:        dhcp-4.1.1-paranoia.diff
-Patch12:        dhcp-4.1.1-man-includes.diff
+Patch12:        dhcp-4.2.2-man-includes.diff
 Patch13:        dhcp-4.1.1-tmpfile.diff
 Patch14:        dhcp-4.1.1-in6_pktinfo-prototype.diff
 Patch15:        contrib-lease-path.diff
 Patch20:        dhcp-4.1.1-dhclient-exec-filedes.diff
-Patch21:        dhcp-4.2.1-dhclient-send-hostname-rml.diff
+Patch21:        dhcp-4.2.2-dhclient-send-hostname-rml.diff
-## patch lives here: http://www.suse.de/~mt/git/dhcp-ldap.git/
+## patch repo lives here: http://www.suse.de/~mt/git/dhcp-ldap.git/
-Patch30:        dhcp-4.2.1-P1-ldap-patch-mt01.diff.bz2
+Patch30:        dhcp-4.2.2-ldap-patch-mt01.diff.bz2
 Patch40:        dhcp-4.1.1-P1-lpf-bind-msg-fix.diff
-Patch41:        dhcp-4.1.1-P1-relay-no-ip-on-interface.diff
+Patch44:        dhcp-4.2.2-xen-checksum.diff
-Patch44:        dhcp-4.2.0-xen-checksum.patch
+Patch45:        dhcp-4.2.2-dhclient-option-checks.bnc675052.diff
-Patch45:        dhcp-4.2.1-P1-dhclient-option-checks.bnc675052.diff
+Patch46:        dhcp-4.2.2-close-on-exec.diff
 Patch47:        dhcp-4.2.2-quiet-dhclient.bnc711420.diff
 ##
 PreReq:         /bin/touch /sbin/chkconfig sysconfig
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -216,7 +216,6 @@ Authors:
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
 %patch15 -p0
 %patch20 -p1
 %patch21 -p1
@ -224,15 +223,26 @@ Authors:
 %patch30 -p1
 %endif
 %patch40 -p1
 %patch41 -p1
 %patch44 -p1
 %patch45 -p1
 %patch46 -p1
 %patch47 -p1
 ##
 find . -type f -name \*.cat\* -exec rm -f {} \;
 dos2unix contrib/ms2isc/*
 %build
-CFLAGS="$RPM_OPT_FLAGS -W -Wall -fno-strict-aliasing -Wno-unused"
+# Remove GPL licensed files to make sure,
 # they're not used to build (bnc#714004).
 pushd bind
 gunzip -c bind.tar.gz | tar xf -
 rm -rf bind-*/contrib/dbus
 popd
 %if %suse_version >= 1210
 CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -W -Wall -Wno-unused"
 %else
 CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -W -Wall -fno-strict-aliasing -Wno-unused"
 %endif
 %ifarch ppc ppc64 s390x
  # bugs 134590, 171532
  CFLAGS="$CFLAGS -fsigned-char"
@ -242,7 +252,11 @@ CFLAGS="$RPM_OPT_FLAGS -W -Wall -fno-strict-aliasing -Wno-unused"
 %else
  CFLAGS="$CFLAGS -fpie" 
 %endif
 %if %suse_version >= 1210
 LDFLAGS="-Wl,-z,relro,-z,now -pie"
 %else
 LDFLAGS="-pie"
 %endif
 FFLAGS="$CFLAGS"
 CXXFLAGS="$CFLAGS"
 export RPM_OPT_FLAGS LDFLAGS
--- a/dhcpd.conf
+++ b/dhcpd.conf
@ -13,7 +13,7 @@ max-lease-time 7200;
 # if you do not use dynamical DNS updates:
 #
 # if you want to use dynamical DNS updates, you should first read
-# read /usr/share/doc/packages/dhcp-server/DDNS-howto.txt
+# the manuals and DDNS-howto.txt provided in the dhcp-doc package.
 #
 ddns-updates off;
--- a/rc.dhcpd
+++ b/rc.dhcpd
@ -59,6 +59,11 @@ DAEMON_BIN=${DHCPD_BINARY:=/usr/sbin/dhcpd}
 DAEMON_CONF=/etc/dhcpd.conf
 DAEMON_STATE=/var/lib/dhcp
 DAEMON_LEASES=dhcpd.leases
 # note: $DAEMON_PIDFILE is a symlink to the
 #       $DAEMON_STATE$DAEMON_PIDFILE (also
 #       while DHCPD_RUN_CHROOTED=no) now,
 #       as DHCPD_RUN_AS is not allowed to
 #       create pid files in /var/run.
 DAEMON_PIDFILE=/var/run/dhcpd.pid
 STARTPROC_LOGFILE=/var/log/rc.dhcpd.log
 LDAP_CONF=/etc/openldap/ldap.conf
@ -128,7 +133,7 @@ fi
 # remove empty pid files to avoid disturbing warnings by checkproc/killproc
 # (these can occur if dhcpd does not start correctly)
 test -e $DAEMON_PIDFILE && ! test -s $DAEMON_PIDFILE && rm $DAEMON_PIDFILE
-test -e $CHROOT_PREFIX/$DAEMON_PIDFILE && ! test -s $CHROOT_PREFIX/$DAEMON_PIDFILE && rm $CHROOT_PREFIX/$DAEMON_PIDFILE
+test -e $DAEMON_STATE/$DAEMON_PIDFILE && ! test -s $DAEMON_STATE/$DAEMON_PIDFILE && rm $DAEMON_STATE/$DAEMON_PIDFILE
 case "$1" in
    start)
@ -240,33 +245,33 @@ case "$1" in
 		## the chroot jail. Therefore, and old pid file may exist. This is only a problem if it 
 		## incidentally contains the pid of a running process. If this process is not a 'dhcpd', 
 		## we remove the pid. (dhcpd itself only checks whether the pid is alive or not.)
-		if test -e $CHROOT_PREFIX/$DAEMON_PIDFILE -a -s $CHROOT_PREFIX/$DAEMON_PIDFILE; then
+		if test -s $DAEMON_STATE/$DAEMON_PIDFILE; then
-			p=$(<$CHROOT_PREFIX/$DAEMON_PIDFILE)
+			p=$(<$DAEMON_STATE/$DAEMON_PIDFILE)
 			if test -n "$p" && grep -qsE "^${DAEMON_BIN}" "/proc/$p/cmdline" ; then
 				echo -n '(already running) '
 			else
-				rm $CHROOT_PREFIX/$DAEMON_PIDFILE
+				rm -f $DAEMON_STATE/$DAEMON_PIDFILE
 			fi
 		fi
 		PID_FILE_ARG="$DAEMON_PIDFILE"
 	else
 		DHCPD_ARGS="-lf ${DAEMON_STATE}/db/$DAEMON_LEASES"
 		PID_FILE_ARG="$DAEMON_STATE$DAEMON_PIDFILE"
 	fi
 	if [ -n "$DHCPD_RUN_AS" ]; then
 		DHCPD_RUN_AS_GROUP="$(getent group $(getent passwd $DHCPD_RUN_AS | cut -d: -f4) | cut -d: -f1)"
 		DHCPD_ARGS="$DHCPD_ARGS -user $DHCPD_RUN_AS -group $DHCPD_RUN_AS_GROUP"
 		if test "$DHCPD_RUN_CHROOTED" = "yes" ; then
 		chown	"${DHCPD_RUN_AS}:${DHCPD_RUN_AS_GROUP}" \
-				"$CHROOT_PREFIX/${DAEMON_PIDFILE%/*}"
+			"$DAEMON_STATE/${DAEMON_PIDFILE%/*}"
 		fi
 	fi
 	## check syntax with -t (output to log file) and start only when the syntax is okay
 	rm -f $STARTPROC_LOGFILE # start log
 	error=0
-	if ! $DAEMON_BIN $DHCPDv_OPT -t -cf $CHROOT_PREFIX/$DAEMON_CONF -pf $DAEMON_PIDFILE > $STARTPROC_LOGFILE 2>&1 ; then
+	if ! $DAEMON_BIN $DHCPDv_OPT -t -cf $CHROOT_PREFIX/$DAEMON_CONF -pf $PID_FILE_ARG > $STARTPROC_LOGFILE 2>&1 ; then
 		error=1
 	else
 		## Start daemon. If this fails the return value is set appropriate.
@ -274,19 +279,20 @@ case "$1" in
 		## to match the LSB spec.
 		test "$2" = "-v" && echo -en \
-			"\nexecuting '$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $DAEMON_PIDFILE $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE'"
+			"\nexecuting '$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $PID_FILE_ARG $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE'"
-		$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $DAEMON_PIDFILE $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE &> $STARTPROC_LOGFILE
+		$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $PID_FILE_ARG $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE &> $STARTPROC_LOGFILE
 		ret=$?
 	fi	
 	if [ $error -gt 0 -o ${ret:-0} -gt 0 ]; then
 		## be verbose
 		echo ""
-		echo -n "  please see $STARTPROC_LOGFILE for details ";
+		echo -n "  please see $STARTPROC_LOGFILE for details "
 		## set status to failed
 		rc_failed
 	else
 		ln -sf "$DAEMON_STATE$DAEMON_PIDFILE" "$DAEMON_PIDFILE"
 		[ "$DHCPD_RUN_CHROOTED" = "yes" ] && echo -n "[chroot]" || :
 	fi
@ -296,14 +302,29 @@ case "$1" in
    stop)
 	echo -n "Shutting down $DAEMON "
 	# Catch the case where daemon is running without chroot,
 	# but sysconfig/dhcp has been changed to use chroot (and
 	# another way around).
 	# In this case is there is no $chroot/$pidfile, but there
 	# should be a /pidfile that we use instead.
 	# We can not kill without pid file or dhcp4 kills dhcp6.
 	PID_FILE="$DAEMON_STATE$DAEMON_PIDFILE"
 	if test "$DHCPD_RUN_CHROOTED" = "yes" ; then
 		if test ! -s "$DAEMON_STATE$DAEMON_PIDFILE" -a \
 		          -s "$DAEMON_PIDFILE" ; then
 			PID_FILE="$DAEMON_PIDFILE"
 		fi
 	else
 		if test ! -s "$DAEMON_PIDFILE" -a \
 		          -s "$DAEMON_STATE$DAEMON_PIDFILE" ; then
 			PID_FILE="$DAEMON_STATE$DAEMON_PIDFILE"
 		fi
 	fi
 	## Stop daemon with killproc(8) and if this fails
 	## set echo the echo return value.
-
+	killproc -p "$PID_FILE" $DAEMON_BIN
 	killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE $DAEMON_BIN
 	ret=$?
 	if test -s $CHROOT_PREFIX/$DAEMON_PIDFILE; then 
 		kill $(<$CHROOT_PREFIX/$DAEMON_PIDFILE) 2>/dev/null
 	fi
 	# umount proc and remove libraries from the chroot jail,
 	# so they are not left over if the server is deinstalled
@ -347,8 +368,8 @@ case "$1" in
 	echo -n "Reload service $DAEMON"
 	if [ "$SUPPORTS_HUP" = "yes" ]; then 
-		killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE -HUP $DAEMON_BIN
+		killproc -p $DAEMON_STATE/$DAEMON_PIDFILE -HUP $DAEMON_BIN
-		#touch $CHROOT_PREFIX/$DAEMON_PIDFILE
+		#touch $DAEMON_STATE/$DAEMON_PIDFILE
 		rc_status -v
 	else
 		$0 stop  &&  sleep 3  &&  $0 start
@ -362,8 +383,8 @@ case "$1" in
 	echo -n "Reload service $DAEMON"
 	if [ "$SUPPORTS_HUP" = "yes" ]; then
 		# If it supports signalling:
-		killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE -HUP $DAEMON_BIN
+		killproc -p $DAEMON_STATE/$DAEMON_PIDFILE -HUP $DAEMON_BIN
-		#touch $CHROOT_PREFIX/$DAEMON_PIDFILE
+		#touch $DAEMON_STATE/$DAEMON_PIDFILE
 		rc_status -v
 	else
 		## Otherwise if it does not support reload:
@ -383,7 +404,7 @@ case "$1" in
 	# 3 - service not running
 	# NOTE: checkproc returns LSB compliant status values.
-	checkproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE $DAEMON_BIN
+	checkproc -p $DAEMON_STATE/$DAEMON_PIDFILE $DAEMON_BIN
 	rc_status -v
 	;;
    probe)
@ -392,7 +413,7 @@ case "$1" in
 	rc=0
 	for i in /etc/sysconfig/dhcpd $DAEMON_CONF $DHCPD_CONF_INCLUDE_FILES; do
-		test $i -nt $CHROOT_PREFIX/$DAEMON_PIDFILE && rc=1
+		test $i -nt $DAEMON_STATE/$DAEMON_PIDFILE && rc=1
 	done
 	test $rc = 1 && echo restart
 	;;
--- a/rc.dhcpd6
+++ b/rc.dhcpd6
@ -63,6 +63,11 @@ DAEMON_BIN=${DHCPD_BINARY:=/usr/sbin/dhcpd6}
 DAEMON_CONF=/etc/dhcpd6.conf
 DAEMON_STATE=/var/lib/dhcp6
 DAEMON_LEASES=dhcpd6.leases
 # note: $DAEMON_PIDFILE is a symlink to the
 #       $DAEMON_STATE$DAEMON_PIDFILE (also
 #       while DHCPD_RUN_CHROOTED=no) now,
 #       as DHCPD_RUN_AS is not allowed to
 #       create pid files in /var/run.
 DAEMON_PIDFILE=/var/run/dhcpd6.pid
 STARTPROC_LOGFILE=/var/log/rc.dhcpd6.log
 LDAP_CONF=
@ -132,7 +137,7 @@ fi
 # remove empty pid files to avoid disturbing warnings by checkproc/killproc
 # (these can occur if dhcpd does not start correctly)
 test -e $DAEMON_PIDFILE && ! test -s $DAEMON_PIDFILE && rm $DAEMON_PIDFILE
-test -e $CHROOT_PREFIX/$DAEMON_PIDFILE && ! test -s $CHROOT_PREFIX/$DAEMON_PIDFILE && rm $CHROOT_PREFIX/$DAEMON_PIDFILE
+test -e $DAEMON_STATE/$DAEMON_PIDFILE && ! test -s $DAEMON_STATE/$DAEMON_PIDFILE && rm $DAEMON_STATE/$DAEMON_PIDFILE
 case "$1" in
    start)
@ -244,33 +249,33 @@ case "$1" in
 		## the chroot jail. Therefore, and old pid file may exist. This is only a problem if it 
 		## incidentally contains the pid of a running process. If this process is not a 'dhcpd', 
 		## we remove the pid. (dhcpd itself only checks whether the pid is alive or not.)
-		if test -e $CHROOT_PREFIX/$DAEMON_PIDFILE -a -s $CHROOT_PREFIX/$DAEMON_PIDFILE; then
+		if test -s $DAEMON_STATE/$DAEMON_PIDFILE; then
-			p=$(<$CHROOT_PREFIX/$DAEMON_PIDFILE)
+			p=$(<$DAEMON_STATE/$DAEMON_PIDFILE)
 			if test -n "$p" && grep -qsE "^${DAEMON_BIN}" "/proc/$p/cmdline" ; then
 				echo -n '(already running) '
 			else
-				rm $CHROOT_PREFIX/$DAEMON_PIDFILE
+				rm -f $DAEMON_STATE/$DAEMON_PIDFILE
 			fi
 		fi
 		PID_FILE_ARG="$DAEMON_PIDFILE"
 	else
 		DHCPD_ARGS="-lf ${DAEMON_STATE}/db/$DAEMON_LEASES"
 		PID_FILE_ARG="$DAEMON_STATE$DAEMON_PIDFILE"
 	fi
 	if [ -n "$DHCPD_RUN_AS" ]; then
 		DHCPD_RUN_AS_GROUP="$(getent group $(getent passwd $DHCPD_RUN_AS | cut -d: -f4) | cut -d: -f1)"
 		DHCPD_ARGS="$DHCPD_ARGS -user $DHCPD_RUN_AS -group $DHCPD_RUN_AS_GROUP"
 		if test "$DHCPD_RUN_CHROOTED" = "yes" ; then
 		chown	"${DHCPD_RUN_AS}:${DHCPD_RUN_AS_GROUP}" \
-				"$CHROOT_PREFIX/${DAEMON_PIDFILE%/*}"
+			"$DAEMON_STATE/${DAEMON_PIDFILE%/*}"
 		fi
 	fi
 	## check syntax with -t (output to log file) and start only when the syntax is okay
 	rm -f $STARTPROC_LOGFILE # start log
 	error=0
-	if ! $DAEMON_BIN $DHCPDv_OPT -t -cf $CHROOT_PREFIX/$DAEMON_CONF -pf $DAEMON_PIDFILE > $STARTPROC_LOGFILE 2>&1 ; then
+	if ! $DAEMON_BIN $DHCPDv_OPT -t -cf $CHROOT_PREFIX/$DAEMON_CONF -pf $PID_FILE_ARG > $STARTPROC_LOGFILE 2>&1 ; then
 		error=1
 	else
 		## Start daemon. If this fails the return value is set appropriate.
@ -278,9 +283,9 @@ case "$1" in
 		## to match the LSB spec.
 		test "$2" = "-v" && echo -en \
-			"\nexecuting '$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $DAEMON_PIDFILE $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE'"
+			"\nexecuting '$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $PID_FILE_ARG $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE'"
-		$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $DAEMON_PIDFILE $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE &> $STARTPROC_LOGFILE
+		$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $PID_FILE_ARG $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE &> $STARTPROC_LOGFILE
 		ret=$?
 	fi	
@ -291,6 +296,7 @@ case "$1" in
 		## set status to failed
 		rc_failed
 	else
 		ln -sf "$DAEMON_STATE$DAEMON_PIDFILE" "$DAEMON_PIDFILE"
 		[ "$DHCPD_RUN_CHROOTED" = "yes" ] && echo -n "[chroot]" || :
 	fi
@ -300,14 +306,29 @@ case "$1" in
    stop)
 	echo -n "Shutting down $DAEMON "
 	# Catch the case where daemon is running without chroot,
 	# but sysconfig/dhcp has been changed to use chroot (and
 	# another way around).
 	# In this case is there is no $chroot/$pidfile, but there
 	# should be a /pidfile that we use instead.
 	# We can not kill without pid file or dhcp4 kills dhcp6.
 	PID_FILE="$DAEMON_STATE$DAEMON_PIDFILE"
 	if test "$DHCPD_RUN_CHROOTED" = "yes" ; then
 		if test ! -s "$DAEMON_STATE$DAEMON_PIDFILE" -a \
 		          -s "$DAEMON_PIDFILE" ; then
 			PID_FILE="$DAEMON_PIDFILE"
 		fi
 	else
 		if test ! -s "$DAEMON_PIDFILE" -a \
 		          -s "$DAEMON_STATE$DAEMON_PIDFILE" ; then
 			PID_FILE="$DAEMON_STATE$DAEMON_PIDFILE"
 		fi
 	fi
 	## Stop daemon with killproc(8) and if this fails
 	## set echo the echo return value.
-
+	killproc -p "$PID_FILE" $DAEMON_BIN
 	killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE $DAEMON_BIN
 	ret=$?
 	if test -s $CHROOT_PREFIX/$DAEMON_PIDFILE; then 
 		kill $(<$CHROOT_PREFIX/$DAEMON_PIDFILE) 2>/dev/null
 	fi
 	# umount proc and remove libraries from the chroot jail,
 	# so they are not left over if the server is deinstalled
@ -351,8 +372,8 @@ case "$1" in
 	echo -n "Reload service $DAEMON"
 	if [ "$SUPPORTS_HUP" = "yes" ]; then 
-		killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE -HUP $DAEMON_BIN
+		killproc -p $DAEMON_STATE/$DAEMON_PIDFILE -HUP $DAEMON_BIN
-		#touch $CHROOT_PREFIX/$DAEMON_PIDFILE
+		#touch $DAEMON_STATE/$DAEMON_PIDFILE
 		rc_status -v
 	else
 		$0 stop  &&  sleep 3  &&  $0 start
@ -366,8 +387,8 @@ case "$1" in
 	echo -n "Reload service $DAEMON"
 	if [ "$SUPPORTS_HUP" = "yes" ]; then
 		# If it supports signalling:
-		killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE -HUP $DAEMON_BIN
+		killproc -p $DAEMON_STATE/$DAEMON_PIDFILE -HUP $DAEMON_BIN
-		#touch $CHROOT_PREFIX/$DAEMON_PIDFILE
+		#touch $DAEMON_STATE/$DAEMON_PIDFILE
 		rc_status -v
 	else
 		## Otherwise if it does not support reload:
@ -387,7 +408,7 @@ case "$1" in
 	# 3 - service not running
 	# NOTE: checkproc returns LSB compliant status values.
-	checkproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE $DAEMON_BIN
+	checkproc -p $DAEMON_STATE/$DAEMON_PIDFILE $DAEMON_BIN
 	rc_status -v
 	;;
    probe)
@ -396,7 +417,7 @@ case "$1" in
 	rc=0
 	for i in /etc/sysconfig/dhcpd $DAEMON_CONF $DHCPD_CONF_INCLUDE_FILES; do
-		test $i -nt $CHROOT_PREFIX/$DAEMON_PIDFILE && rc=1
+		test $i -nt $DAEMON_STATE/$DAEMON_PIDFILE && rc=1
 	done
 	test $rc = 1 && echo restart
 	;;