File dhcp-CVE-2019-6470.patch of Package dhcp

commit 21ae396088a3fbe046e3122286d1288eeacce7d3
Author: Thomas Markwalder <tmark@isc.org>
Date:   Fri Dec 1 09:21:42 2017 -0500

    [v4_3] Use 0 instead of -1 to indicate empty heap index
    
        Merges in rt46719.

--- includes/dhcpd.h.orig
+++ includes/dhcpd.h
@@ -1596,8 +1596,9 @@ struct iasubopt {
  */
 #define EXPIRED_IPV6_CLEANUP_TIME (60*60)
 
-	int heap_index;				/* index into heap, or -1
-						   (internal use only) */
+	/* index into heaps, or -1 (internal use only) */
+	int active_index;
+	int inactive_index;
 
 	/*
 	 * A pointer to the state of the ddns update for this lease.
--- server/mdb6.c.orig
+++ server/mdb6.c
@@ -216,7 +216,8 @@ iasubopt_allocate(struct iasubopt **iasu
 
 	tmp->refcnt = 1;
 	tmp->state = FTS_FREE;
-	tmp->heap_index = -1;
+	tmp->active_index = 0;
+	tmp->inactive_index = 0;
 	tmp->plen = 255;
 
 	*iasubopt = tmp;
@@ -600,14 +601,18 @@ lease_older(void *a, void *b) {
 }
 
 /*
- * Helper function for lease address/prefix heaps.
+ * Helper functions for lease address/prefix heaps.
  * Callback when an address's position in the heap changes.
  */
 static void
-lease_index_changed(void *iasubopt, unsigned int new_heap_index) {
-	((struct iasubopt *)iasubopt)-> heap_index = new_heap_index;
+active_changed(void *iasubopt, unsigned int new_heap_index) {
+	((struct iasubopt *)iasubopt)->active_index = new_heap_index;
 }
 
+static void
+inactive_changed(void *iasubopt, unsigned int new_heap_index) {
+	((struct iasubopt *)iasubopt)->inactive_index = new_heap_index;
+}
 
 /*!
  *
@@ -660,13 +665,13 @@ ipv6_pool_allocate(struct ipv6_pool **po
 		dfree(tmp, file, line);
 		return ISC_R_NOMEMORY;
 	}
-	if (isc_heap_create(dhcp_gbl_ctx.mctx, lease_older, lease_index_changed,
+	if (isc_heap_create(dhcp_gbl_ctx.mctx, lease_older, active_changed,
 			    0, &(tmp->active_timeouts)) != ISC_R_SUCCESS) {
 		iasubopt_free_hash_table(&(tmp->leases), file, line);
 		dfree(tmp, file, line);
 		return ISC_R_NOMEMORY;
 	}
-	if (isc_heap_create(dhcp_gbl_ctx.mctx, lease_older, lease_index_changed,
+	if (isc_heap_create(dhcp_gbl_ctx.mctx, lease_older, inactive_changed,
 			    0, &(tmp->inactive_timeouts)) != ISC_R_SUCCESS) {
 		isc_heap_destroy(&(tmp->active_timeouts));
 		iasubopt_free_hash_table(&(tmp->leases), file, line);
@@ -1186,7 +1191,7 @@ cleanup_lease6(ia_hash_t *ia_table,
 	 * Remove the old lease from the active heap and from the hash table
 	 * then remove the lease from the IA and clean up the IA if necessary.
 	 */
-	isc_heap_delete(pool->active_timeouts, test_iasubopt->heap_index);
+	isc_heap_delete(pool->active_timeouts, test_iasubopt->active_index);
 	pool->num_active--;
 	if (pool->ipv6_pond)
 		pool->ipv6_pond->num_active--;
@@ -1259,7 +1264,7 @@ add_lease6(struct ipv6_pool *pool, struc
 		if ((test_iasubopt->state == FTS_ACTIVE) ||
 		    (test_iasubopt->state == FTS_ABANDONED)) {
 			isc_heap_delete(pool->active_timeouts,
-					test_iasubopt->heap_index);
+					test_iasubopt->active_index);
 			pool->num_active--;
 			if (pool->ipv6_pond)
 				pool->ipv6_pond->num_active--;
@@ -1271,7 +1276,7 @@ add_lease6(struct ipv6_pool *pool, struc
 			}
 		} else {
 			isc_heap_delete(pool->inactive_timeouts,
-					test_iasubopt->heap_index);
+					test_iasubopt->inactive_index);
 			pool->num_inactive--;
 		}
 
@@ -1392,14 +1397,13 @@ lease6_usable(struct iasubopt *lease) {
 static isc_result_t
 move_lease_to_active(struct ipv6_pool *pool, struct iasubopt *lease) {
 	isc_result_t insert_result;
-	int old_heap_index;
 
-	old_heap_index = lease->heap_index;
 	insert_result = isc_heap_insert(pool->active_timeouts, lease);
 	if (insert_result == ISC_R_SUCCESS) {
        		iasubopt_hash_add(pool->leases, &lease->addr, 
 				  sizeof(lease->addr), lease, MDL);
-		isc_heap_delete(pool->inactive_timeouts, old_heap_index);
+		isc_heap_delete(pool->inactive_timeouts,
+				lease->inactive_index);
 		pool->num_active++;
 		pool->num_inactive--;
 		lease->state = FTS_ACTIVE;
@@ -1449,16 +1453,16 @@ renew_lease6(struct ipv6_pool *pool, str
 	if (lease->state == FTS_ACTIVE) {
 		if (old_end_time <= lease->hard_lifetime_end_time) {
 			isc_heap_decreased(pool->active_timeouts,
-					   lease->heap_index);
+					   lease->active_index);
 		} else {
 			isc_heap_increased(pool->active_timeouts,
-					   lease->heap_index);
+					   lease->active_index);
 		}
 		return ISC_R_SUCCESS;
 	} else if (lease->state == FTS_ABANDONED) {
 		char tmp_addr[INET6_ADDRSTRLEN];
                 lease->state = FTS_ACTIVE;
-                isc_heap_increased(pool->active_timeouts, lease->heap_index);
+                isc_heap_increased(pool->active_timeouts, lease->active_index);
 		log_info("Reclaiming previously abandoned address %s",
 			 inet_ntop(AF_INET6, &(lease->addr), tmp_addr,
 				   sizeof(tmp_addr)));
@@ -1480,9 +1484,7 @@ static isc_result_t
 move_lease_to_inactive(struct ipv6_pool *pool, struct iasubopt *lease, 
 		       binding_state_t state) {
 	isc_result_t insert_result;
-	int old_heap_index;
 
-	old_heap_index = lease->heap_index;
 	insert_result = isc_heap_insert(pool->inactive_timeouts, lease);
 	if (insert_result == ISC_R_SUCCESS) {
 		/*
@@ -1533,7 +1535,7 @@ move_lease_to_inactive(struct ipv6_pool
 
 		iasubopt_hash_delete(pool->leases, 
 				     &lease->addr, sizeof(lease->addr), MDL);
-		isc_heap_delete(pool->active_timeouts, old_heap_index);
+		isc_heap_delete(pool->active_timeouts, lease->active_index);
 		lease->state = state;
 		pool->num_active--;
 		pool->num_inactive++;
@@ -1611,7 +1613,7 @@ decline_lease6(struct ipv6_pool *pool, s
 		pool->ipv6_pond->num_abandoned++;
 
 	lease->hard_lifetime_end_time = MAX_TIME;
-	isc_heap_decreased(pool->active_timeouts, lease->heap_index);
+	isc_heap_decreased(pool->active_timeouts, lease->active_index);
 	return ISC_R_SUCCESS;
 }
 
@@ -1884,7 +1886,7 @@ cleanup_old_expired(struct ipv6_pool *po
 			break;
 		}
 
-		isc_heap_delete(pool->inactive_timeouts, tmp->heap_index);
+		isc_heap_delete(pool->inactive_timeouts, tmp->inactive_index);
 		pool->num_inactive--;
 
 		if (tmp->ia != NULL) {
--- server/tests/mdb6_unittest.c.orig
+++ server/tests/mdb6_unittest.c
@@ -65,8 +65,13 @@ ATF_TC_BODY(iaaddr_basic, tc)
     if (iaaddr->state != FTS_FREE) {
         atf_tc_fail("ERROR: bad state %s:%d", MDL);
     }
-    if (iaaddr->heap_index != -1) {
-        atf_tc_fail("ERROR: bad heap_index %s:%d", MDL);
+    if (iaaddr->active_index != 0) {
+        atf_tc_fail("ERROR: bad active_index :%d %s:%d",
+            iaaddr->active_index, MDL);
+    }
+    if (iaaddr->inactive_index != 0) {
+        atf_tc_fail("ERROR: bad inactive_index %d %s:%d",
+            iaaddr->inactive_index, MDL);
     }
     if (iasubopt_reference(&iaaddr_copy, iaaddr, MDL) != ISC_R_SUCCESS) {
         atf_tc_fail("ERROR: iasubopt_reference() %s:%d", MDL);