From ef8d97cd543d87135b3aae2d778a6f91cb800498 Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.de>
Date: Wed, 2 Feb 2011 09:18:39 +0100
Subject: [PATCH] Unexpected abort caused by a DHCPv6 decline

Security fix (CVE-2011-0413, VU#686084, bnc#667655) extracted from
dhcp-4.2.1b1 sources; description from dhcp-4.2.1b1/RELNOTES:
! When processing a request in the DHCPv6 server code that specifies
  an address that is tagged as abandoned (meaning we received a
  decline request for it previously) don't attempt to move it from
  the inactive to active pool as doing so can result in the server
  crshing on an assert failure.  Also retag the lease as active
  and reset it's timeout value.
  [ISC-Bugs #21921]

Signed-off-by: Marius Tomaschewski <mt@suse.de>
---
 server/mdb6.c |   19 ++++++++++++++++---
 1 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/server/mdb6.c b/server/mdb6.c
index 87bd152..9d410f5 100644
--- a/server/mdb6.c
+++ b/server/mdb6.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2007-2011 by Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -1010,7 +1010,7 @@ move_lease_to_active(struct ipv6_pool *pool, struct iasubopt *lease) {
  * Renew an lease in the pool.
  *
  * To do this, first set the new hard_lifetime_end_time for the resource,
- * and then invoke renew_lease() on it.
+ * and then invoke renew_lease6() on it.
  *
  * WARNING: lease times must only be extended, never reduced!!!
  */
@@ -1020,12 +1020,24 @@ renew_lease6(struct ipv6_pool *pool, struct iasubopt *lease) {
 	 * If we're already active, then we can just move our expiration
 	 * time down the heap. 
 	 *
+	 * If we're abandoned then we are already on the active list
+	 * but we need to retag the lease and move our expiration
+	 * from infinite to the current value
+	 *
 	 * Otherwise, we have to move from the inactive heap to the 
 	 * active heap.
 	 */
 	if (lease->state == FTS_ACTIVE) {
 		isc_heap_decreased(pool->active_timeouts, lease->heap_index);
 		return ISC_R_SUCCESS;
+	} else if (lease->state == FTS_ABANDONED) {
+		char tmp_addr[INET6_ADDRSTRLEN];
+                lease->state = FTS_ACTIVE;
+                isc_heap_increased(pool->active_timeouts, lease->heap_index);
+		log_info("Reclaiming previously abandoned address %s",
+			 inet_ntop(AF_INET6, &(lease->addr), tmp_addr,
+				   sizeof(tmp_addr)));
+                return ISC_R_SUCCESS;
 	} else {
 		return move_lease_to_active(pool, lease);
 	}
@@ -1115,7 +1127,8 @@ isc_result_t
 decline_lease6(struct ipv6_pool *pool, struct iasubopt *lease) {
 	isc_result_t result;
 
-	if (lease->state != FTS_ACTIVE) {
+	if ((lease->state != FTS_ACTIVE) &&
+	    (lease->state != FTS_ABANDONED)) {
 		result = move_lease_to_active(pool, lease);
 		if (result != ISC_R_SUCCESS) {
 			return result;
-- 
1.7.1