From nobody Fri Jan 30 01:20:37 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f2J9K6tkfz6QS86 for ; Fri, 30 Jan 2026 01:20:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4f2J9K62Xwz3Qkk for ; Fri, 30 Jan 2026 01:20:37 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1769736037; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5fQQNBJsYhd3H0i/hJ+SbvCKgo/OfVyezZSCkx5EsyI=; b=gklvSIu0TXSl35qg85pWhx0dKYTmdW1X8ZYZdcvn+F3DldolSfOGuEVcMvhpYFpUuOQrme /TkhA8tXJ3qwCtqn3IXnYwU07epxLE3bf/ZC3wVu205jHHXOI6fkB06F9JSrrm96UY29Jh e8t2ak2gcgGsJTU/LbZf7EvAxbPzf+930wbg4kmZnv/Xy5xzs0TvzEFZ0x0bhhUOnAnQnL 63qzHV3AIkvteK/gj0D9U4+khr4xv+A14nwTzX56nYfVtN+cd9h56R6e4YPJT1P3LnCUvp CsWWdy0NcexEa85cq5vosbrH8SzxP1BcrO6gJTIVYSR998v9gL0cMwva+m4UxQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1769736037; a=rsa-sha256; cv=none; b=WOlAIn/BmS65OPLrzCRkQ7KnefatX3WWayNmFGtl3sM/Ktd9VbizZOKbKcqZyfDSTUpepm VS1ADC6NhXXRMORf4F8n2HtFYI/V61XChdGmQu+/PcBKOHnaWiSKm8fI0BdWQ0Dj5UUzB7 hgF+1IWGTqwIoCt1IKbCJRcphHbtUGrda0mhl/1C7wu3K6aA0K1RNO0Ccv4p4CwgwaZKDT 4GfuVnZ5PiAU7Fxraag4+Fmjd7nyML9spJQYmmQ6D8SQxLfrJ7/VdAIhXAL/FumDXQ1lDT YAH1FzlAWPkEXtCBF8nIKUO2+QHGU6q9y1wKqVKVkdjfShXSg6KHgePWafvHEg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1769736037; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5fQQNBJsYhd3H0i/hJ+SbvCKgo/OfVyezZSCkx5EsyI=; b=U5dxERqtfKdluv3U/37pNLxpoP5j/bs0sJJ7eoLuT5XhxfxzaIi634FUHkefgyHEGdOC1F PP/CftegkkUTkINmalZtpJ20Bl4ryd56pd3BMRRM2c+afPHJo4cCF27kHVvercGq2hxbum ASnKOv3da/CMf3IkYLO361SMApOPvkEwYm84iyAcMtnEFrF0Q88PxwFhsVY6Rr/jjF6BDY yh9yQavF6AsEFmFPsIuAlNLGraOsd+EW+ivPyDjWxA29qe78Y74vjS8jSV2yaU5k2YOZZ7 ZSMyZCtH9l+z7PDpeKzsSn3xQ29JrCgElbL+0SHteGlEhqBtcGtdBU87ilM8Dg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4f2J9K5ZZfz12bB for ; Fri, 30 Jan 2026 01:20:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 22d70 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 30 Jan 2026 01:20:37 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Jessica Clarke Subject: git: 2b22e05b1747 - stable/15 - libc: Don't use uninitialised string for getnetbyaddr[_r](0) DNS lookup List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jrtc27 X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 2b22e05b1747c9499f38264c15eccf2818a9dbc1 Auto-Submitted: auto-generated Date: Fri, 30 Jan 2026 01:20:37 +0000 Message-Id: <697c0765.22d70.418e2386@gitrepo.freebsd.org> The branch stable/15 has been updated by jrtc27: URL: https://cgit.FreeBSD.org/src/commit/?id=2b22e05b1747c9499f38264c15eccf2818a9dbc1 commit 2b22e05b1747c9499f38264c15eccf2818a9dbc1 Author: Jessica Clarke AuthorDate: 2026-01-27 21:44:39 +0000 Commit: Jessica Clarke CommitDate: 2026-01-30 01:20:25 +0000 libc: Don't use uninitialised string for getnetbyaddr[_r](0) DNS lookup If net is all-zero, the loop to extract all leading non-zero octets will iterate zero times and leave nn with the value 4, which the following switch statement to initialise qbuf does not handle. As a result, _dns_getnetbyaddr will look up the PTR record for this uninitialised string, which will leak the pre-existing contents of that stack memory to the DNS resolver and, if remote and not otherwise protected, network. Note that _dns_getnetbyaddr is only used if nsswitch.conf is configured to enable the "dns" source for the "networks" database, which is not the default configuration in FreeBSD. For glibc this same bug, in code also derived from BIND's, was issued CVE-2026-0915. This commit adopts the same behaviour as glibc's fix, which is to regard a net of 0 as being for 0.0.0.0. Apparently NetBSD will return NS_UNAVAIL instead, which may or may not make more sense, but in general glibc compatibility tends to cause less friction when there's not a good reason to avoid it. Reviewed by: markj (secteam) Fixes: 1363f04ce1b8 ("get* rework and new bind code") MFC after: 1 day Security: Same bug as glibc's CVE-2026-0915 (cherry picked from commit 331316b073505e4794754af1cd0c5ccc578a2bde) --- lib/libc/net/getnetbydns.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/libc/net/getnetbydns.c b/lib/libc/net/getnetbydns.c index deca8c58fca5..b9cc29d5bfdb 100644 --- a/lib/libc/net/getnetbydns.c +++ b/lib/libc/net/getnetbydns.c @@ -304,6 +304,9 @@ _dns_getnetbyaddr(void *rval, void *cb_data, va_list ap) for (nn = 4, net2 = net; net2; net2 >>= 8) netbr[--nn] = net2 & 0xff; switch (nn) { + case 4: /* net was all-zero i.e. 0.0.0.0 */ + sprintf(qbuf, "0.0.0.0.in-addr.arpa"); + break; case 3: /* Class A */ sprintf(qbuf, "0.0.0.%u.in-addr.arpa", netbr[3]); break;