From 7fcbb22094392f6ea9f9f67dfbc00a4488d4cf32 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 22 Sep 2023 14:17:10 +0200
Subject: [PATCH] dhcp: merge_ipv6_address() was too intrusive

Testing 3582242d0fe10 it appeared that link-local addresses were
rewritten as GUAs in the dhcpd configuration.  The static map part
does this right, but all the other callers are not.  Flip this
around as it was intended.  The DHCPv6 page will now throw an out
of range error when it previously adjusted the explit prefix anyway.

dhcpd config with link local seems fine too, but more testing is
always good.
---
 src/etc/inc/plugins.inc.d/dhcpd.inc | 12 ++++--------
 src/etc/inc/util.inc                |  5 +++++
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/dhcpd.inc b/src/etc/inc/plugins.inc.d/dhcpd.inc
index 1f21535af..17abde234 100644
--- a/src/etc/inc/plugins.inc.d/dhcpd.inc
+++ b/src/etc/inc/plugins.inc.d/dhcpd.inc
@@ -1361,13 +1361,9 @@ function dhcpd_dhcp6_configure($verbose = false, $blacklist = [])
             } else {
                 if (!empty($dhcpdv6cfg[$ifname]['range']['from']) && !empty($dhcpdv6cfg[$ifname]['range']['to'])) {
                     /* get config entry and marry it to the live prefix */
-                    $dhcpdv6cfg[$ifname]['range'] = array(
-                        'from' => merge_ipv6_address($ifcfgipv6, $dhcpdv6cfg[$ifname]['range']['from']),
-                        'to' => merge_ipv6_address($ifcfgipv6, $dhcpdv6cfg[$ifname]['range']['to']),
-                    );
-                }
-
-                if (!empty($dhcpdv6cfg[$ifname]['prefixrange']['from']) && !empty($dhcpdv6cfg[$ifname]['prefixrange']['to'])) {
+                    $dhcpdv6cfg[$ifname]['range']['from'] = merge_ipv6_address($ifcfgipv6, $dhcpdv6cfg[$ifname]['range']['from']);
+                    $dhcpdv6cfg[$ifname]['range']['to'] = merge_ipv6_address($ifcfgipv6, $dhcpdv6cfg[$ifname]['range']['to']);
+                } elseif (!empty($dhcpdv6cfg[$ifname]['prefixrange']['from']) && !empty($dhcpdv6cfg[$ifname]['prefixrange']['to'])) {
                     /* XXX $pdlen is never validated against prefixlenght setting, but must be smaller or equal */
                     $pdlen = 64 - calculate_ipv6_delegation_length($config['interfaces'][$ifname]['track6-interface']);
 
@@ -1872,7 +1868,7 @@ function dhcpd_staticmap($proto = null, $valid_addresses = true, $domain_fallbac
                     continue;
                 }
 
-                if (!empty($ipaddrv6) && strpos($host['ipaddrv6'], '::') === 0) {
+                if (!empty($ipaddrv6)) {
                     /* expand IPv6 suffix address, but only allow user-given compressed suffix */
                     $host['ipaddrv6'] = merge_ipv6_address($ipaddrv6, $host['ipaddrv6']);
                 }
diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc
index af28490b8..c7002c134 100644
--- a/src/etc/inc/util.inc
+++ b/src/etc/inc/util.inc
@@ -542,6 +542,11 @@ function find_smallest_cidr6($ips)
 /* merge IPv6 address prefix of default size 64 with suffix */
 function merge_ipv6_address($prefix, $suffix, $size = 64)
 {
+    if (strpos($suffix, '::') !== 0) {
+        /* do not override full addresses */
+        return $suffix;
+    }
+
     $size = 128 - $size;
 
     $prefix_bits = unpack('N*', inet_pton($prefix));