From 92119d768f45cf44645fc7f9c2fe90112b6d3f97 Mon Sep 17 00:00:00 2001
From: florian <florian@openbsd.org>
Date: Tue, 4 Jun 2024 15:48:47 +0000
Subject: [PATCH] IAIDs can start at 0.

I was under the impression that an IAID of 0 is special, but that's
not true. Letting IAID start at zero makes array indexing easier and
avoids an out of bounds access pointed out by dhill.

While here, do not trust IAID received via imsg but do our own
accounting.
---
 sbin/dhcp6leased/engine.c   | 12 ++++++------
 sbin/dhcp6leased/frontend.c |  6 +++---
 sbin/dhcp6leased/parse.y    |  6 +++---
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/sbin/dhcp6leased/engine.c b/sbin/dhcp6leased/engine.c
index 0e059c19b00..1db15432655 100644
--- a/sbin/dhcp6leased/engine.c
+++ b/sbin/dhcp6leased/engine.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: engine.c,v 1.7 2024/06/03 15:53:26 deraadt Exp $	*/
+/*	$OpenBSD: engine.c,v 1.8 2024/06/04 15:48:47 florian Exp $	*/
 
 /*
  * Copyright (c) 2017, 2021, 2024 Florian Obser <florian@openbsd.org>
@@ -484,7 +484,7 @@ engine_dispatch_main(int fd, short event, void *bula)
 			SIMPLEQ_INIT(&iface_ia_conf->iface_pd_list);
 			SIMPLEQ_INSERT_TAIL(&iface_conf->iface_ia_list,
 			    iface_ia_conf, entry);
-			iface_conf->ia_count++;
+			iface_ia_conf->id = iface_conf->ia_count++;
 			if (iface_conf->ia_count > MAX_IA)
 				fatalx("Too many prefix delegation requests.");
 			break;
@@ -787,11 +787,11 @@ parse_dhcp(struct dhcp6leased_iface *iface, struct imsg_dhcp *dhcp)
 			log_debug("%s: IA_PD, IAID: %08x, T1: %u, T2: %u",
 			    __func__, ntohl(iapd.iaid), ntohl(iapd.t1),
 			    ntohl(iapd.t2));
-			if (ntohl(iapd.iaid) <= iface_conf->ia_count)
+			if (ntohl(iapd.iaid) < iface_conf->ia_count)
 				parse_ia_pd_options(p +
 				    sizeof(struct dhcp_iapd), opt_hdr.len -
 				    sizeof(struct dhcp_iapd),
-				    &pds[ntohl(iapd.iaid) -1]);
+				    &pds[ntohl(iapd.iaid)]);
 			break;
 		case DHO_RAPID_COMMIT:
 			if (opt_hdr.len != 0) {
@@ -818,7 +818,7 @@ parse_dhcp(struct dhcp6leased_iface *iface, struct imsg_dhcp *dhcp)
 
 
 	SIMPLEQ_FOREACH(ia_conf, &iface_conf->iface_ia_list, entry) {
-		struct prefix	*pd = &pds[ia_conf->id - 1];
+		struct prefix	*pd = &pds[ia_conf->id];
 
 		if (pd->prefix_len == 0) {
 			log_warnx("%s: no IA for IAID %d found", __func__,
@@ -1280,7 +1280,7 @@ configure_interfaces(struct dhcp6leased_iface *iface)
 	}
 
 	SIMPLEQ_FOREACH(ia_conf, &iface_conf->iface_ia_list, entry) {
-		struct prefix	*pd = &iface->pds[ia_conf->id - 1];
+		struct prefix	*pd = &iface->pds[ia_conf->id];
 
 		SIMPLEQ_FOREACH(pd_conf, &ia_conf->iface_pd_list, entry) {
 			send_configure_interface(pd_conf, pd);
diff --git a/sbin/dhcp6leased/frontend.c b/sbin/dhcp6leased/frontend.c
index d683a68239c..6dc1abe5203 100644
--- a/sbin/dhcp6leased/frontend.c
+++ b/sbin/dhcp6leased/frontend.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: frontend.c,v 1.8 2024/06/03 15:53:26 deraadt Exp $	*/
+/*	$OpenBSD: frontend.c,v 1.9 2024/06/04 15:48:47 florian Exp $	*/
 
 /*
  * Copyright (c) 2017, 2021, 2024 Florian Obser <florian@openbsd.org>
@@ -362,7 +362,7 @@ frontend_dispatch_main(int fd, short event, void *bula)
 			SIMPLEQ_INIT(&iface_ia_conf->iface_pd_list);
 			SIMPLEQ_INSERT_TAIL(&iface_conf->iface_ia_list,
 			    iface_ia_conf, entry);
-			iface_conf->ia_count++;
+			iface_ia_conf->id = iface_conf->ia_count++;
 			if (iface_conf->ia_count > MAX_IA)
 				fatalx("Too many prefix delegation requests.");
 			break;
@@ -873,7 +873,7 @@ build_packet(uint8_t message_type, struct iface *iface, char *if_name)
 		case DHCPREQUEST:
 		case DHCPRENEW:
 		case DHCPREBIND:
-			pd = &iface->pds[ia_conf->id - 1];
+			pd = &iface->pds[ia_conf->id];
 			iaprefix.prefix_len = pd->prefix_len;
 			memcpy(&iaprefix.prefix, &pd->prefix,
 			    sizeof(struct in6_addr));
diff --git a/sbin/dhcp6leased/parse.y b/sbin/dhcp6leased/parse.y
index 0e8a50c7d28..940ec15d1f8 100644
--- a/sbin/dhcp6leased/parse.y
+++ b/sbin/dhcp6leased/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.6 2024/06/03 15:53:26 deraadt Exp $	*/
+/*	$OpenBSD: parse.y,v 1.7 2024/06/04 15:48:47 florian Exp $	*/
 
 /*
  * Copyright (c) 2018, 2024 Florian Obser <florian@openbsd.org>
@@ -176,8 +176,8 @@ ia_pd		: REQUEST PREFIX DELEGATION ON STRING FOR {
 			iface_ia_conf = calloc(1, sizeof(*iface_ia_conf));
 			if (iface_ia_conf == NULL)
 				err(1, "%s: calloc", __func__);
-			iface_ia_conf->id = ++iface_conf->ia_count;
-			if (iface_ia_conf->id > MAX_IA) {
+			iface_ia_conf->id = iface_conf->ia_count++;
+			if (iface_conf->ia_count > MAX_IA) {
 				yyerror("Too many prefix delegation requests");
 				YYERROR;
 			}
-- 
2.20.1