From nobody Fri Jan 30 01:19:03 2026
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f2J7X162dz6QRb9
	for <dev-commits-src-branches@mlmmj.nyi.freebsd.org>; Fri, 30 Jan 2026 01:19:04 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4f2J7W6Bjxz3PdM
	for <dev-commits-src-branches@FreeBSD.org>; Fri, 30 Jan 2026 01:19:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1769735943;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ybSdDgS/hqgOIiotoKgrkk9vk3/KVYKeSf2A0zB3IeI=;
	b=RGguHoqPEIHO4lovg4FofH1cjkP4jybyVYHUeNhDSbyBVbYaDWC6rk9z55oN2kETaKqueB
	EDv+FjDdi27KTdUOSX9li/tzMWdH64F3xLzb6raxlF9Xz+1M32CR4+a2gWzWc5+F11Vlao
	wwpJxqqvOLbELl2rT7a2WZ5dvBx4kPndhgz/ZP76x12WnhOyvRorpwTes2vp3UDYH1LvuN
	3TD2vBd16eq9ArfPJ+93D1z9P4qC5lYFXm55o0pRFLSJ/XhkTnO5dtyDGOgsPbKTjbF3jk
	bnp01AFrhxER96JyhYAcRykpdzX2ZtcE/B4YCGasL9SGn6brxGjwfhLs8mDVow==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1769735943; a=rsa-sha256; cv=none;
	b=pB9z/ZRMoiV6vTcBKeMugFkWmWL4TeiqtRdLLjSYSreK+eoByG6CDK7v6b832CcQcBxAnA
	pb6kmKYjmJNTUT3HFh+5z5dln5j09M2lryy0MQQILozN2grbUUe1NeO6oEXD3yCTN0bIod
	SFCP1fksbJE9T+0FqfIk+FHfwFevv1T+4jgn15vrNC4gc01fGON9ufkCm9+pqYfhfFM4qB
	/6X7pK8637s+e/ph/pt9IjncglmdKHoydHndjujMg/qCplA+ToaSH4zwgpSdvrmoXWhKYi
	p6MOp6jXNptbEe5g4F233QgID0+lWjf+Rx39xQ47NrjMKeOPCtHRoJZGkXPkHA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1769735943;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ybSdDgS/hqgOIiotoKgrkk9vk3/KVYKeSf2A0zB3IeI=;
	b=Jgae66l8MLeOh4d9945xy7cCkU+g0KtGmimAJmobkobiGGNy1ly8dyoKbYiMN5PQJOwkry
	gZfcYNbIoHDrq6EBaLl+yYedB6W2ZmjxaEOPmzUaUUhFMguOjUPmx/KzRjzZAWH1Id87wJ
	/Nnw9Fty7otGkZxN41XCu33Bse7VTB89G/k5aEYX3oxGdd0uAcGqkWA7OXD7gPNQiC+cIf
	usFCtTwcbpkDZaISB0IT6NfHbYPTxgUbWfQjZNUWibJGZnxax5PMJrCbjnLD8j2t9njymw
	wAKJlvAazxLSM+U61a5tSg8RySYXj5NPbBF28Za07myvoOihQSp2VcHm6b8DGg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4f2J7W5lSXz12b4
	for <dev-commits-src-branches@FreeBSD.org>; Fri, 30 Jan 2026 01:19:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 22fed
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Fri, 30 Jan 2026 01:19:03 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Jessica Clarke <jrtc27@FreeBSD.org>
Subject: git: 2696f9be7ff6 - stable/13 - libc: Don't use uninitialised string for getnetbyaddr[_r](0) DNS lookup
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jrtc27
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 2696f9be7ff6d89b62b8c47c0c315e8a67d0e994
Auto-Submitted: auto-generated
Date: Fri, 30 Jan 2026 01:19:03 +0000
Message-Id: <697c0707.22fed.5c2776bf@gitrepo.freebsd.org>

The branch stable/13 has been updated by jrtc27:

URL: https://cgit.FreeBSD.org/src/commit/?id=2696f9be7ff6d89b62b8c47c0c315e8a67d0e994

commit 2696f9be7ff6d89b62b8c47c0c315e8a67d0e994
Author:     Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2026-01-27 21:44:39 +0000
Commit:     Jessica Clarke <jrtc27@FreeBSD.org>
CommitDate: 2026-01-30 01:17:53 +0000

    libc: Don't use uninitialised string for getnetbyaddr[_r](0) DNS lookup
    
    If net is all-zero, the loop to extract all leading non-zero octets will
    iterate zero times and leave nn with the value 4, which the following
    switch statement to initialise qbuf does not handle. As a result,
    _dns_getnetbyaddr will look up the PTR record for this uninitialised
    string, which will leak the pre-existing contents of that stack memory
    to the DNS resolver and, if remote and not otherwise protected, network.
    
    Note that _dns_getnetbyaddr is only used if nsswitch.conf is configured
    to enable the "dns" source for the "networks" database, which is not the
    default configuration in FreeBSD.
    
    For glibc this same bug, in code also derived from BIND's, was issued
    CVE-2026-0915. This commit adopts the same behaviour as glibc's fix,
    which is to regard a net of 0 as being for 0.0.0.0. Apparently NetBSD
    will return NS_UNAVAIL instead, which may or may not make more sense,
    but in general glibc compatibility tends to cause less friction when
    there's not a good reason to avoid it.
    
    Reviewed by:    markj (secteam)
    Fixes:          1363f04ce1b8 ("get* rework and new bind code")
    MFC after:      1 day
    Security:       Same bug as glibc's CVE-2026-0915
    
    (cherry picked from commit 331316b073505e4794754af1cd0c5ccc578a2bde)
---
 lib/libc/net/getnetbydns.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/libc/net/getnetbydns.c b/lib/libc/net/getnetbydns.c
index c2a8310e4172..9cf5f545a542 100644
--- a/lib/libc/net/getnetbydns.c
+++ b/lib/libc/net/getnetbydns.c
@@ -308,6 +308,9 @@ _dns_getnetbyaddr(void *rval, void *cb_data, va_list ap)
 	for (nn = 4, net2 = net; net2; net2 >>= 8)
 		netbr[--nn] = net2 & 0xff;
 	switch (nn) {
+	case 4: 	/* net was all-zero i.e. 0.0.0.0 */
+		sprintf(qbuf, "0.0.0.0.in-addr.arpa");
+		break;
 	case 3: 	/* Class A */
 		sprintf(qbuf, "0.0.0.%u.in-addr.arpa", netbr[3]);
 		break;