From nobody Wed Apr 29 14:47:21 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5Ks55yXLz6bkJC for ; Wed, 29 Apr 2026 14:47:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5Ks52xKlz4J29 for ; Wed, 29 Apr 2026 14:47:21 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474041; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uo0z6d0WFlrdkclcsARy/YCbK98LsR0KF9SAJMk2pAw=; b=VZv/qw8I+Vh7z2ydTwo4+AECxImC4dQ66lBfCehZWM/iK784Hsu31TilZFdrif+cIfIt/f CvPS4IbsecB+ZSCJm3YsrRKkC7Gi31QUFT0DFV93xXeQake+DJ4MgnT5mq/vfu10SXfYLf Wv1DcmUH5Ys+ldN+ed575JQKr7V/38jy6rs2wMKLfZTMNxAA3e004CQsn9tD0CFb53dE6+ AATjXB12ip4KVvz15MFQw1Rfs68yD5KiKXE5+aHMd0NxHw9Rba1pKf3ZrgKP2i1omSa7gp EVUPu9iwTKNVrK6Xb9v/Odlsv3AEaDpkcfB8V7N9m3L9kyEGioEIrFnEdO/NEA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474041; a=rsa-sha256; cv=none; b=xuJiNtUkL+eal3gOKitbK9BA955ZebqsMUdsCSdSVZNgRsa/8rWqUZ8FzvelMhHtBzxmq3 EtzoqtgQQBbRGSjRTK5hBXNteJRjzxIxT99/uE0ES1ypbJabeZWtIG7ox0X9Tj+59t0eHD pQFdk3idzUURVCAFpO7HN9Fs9bPfM/YKh0Or8kqWIsQ7YQ82hvAPkNnox+WU1jIcvgH13u +MCA8+B/aV1Cdh+ck7XJsyfMjROtCVzsd5uTTaQYTtHu1vrA7dS5NA7JlyGzGp67Da3o1G VGprgumibR1vK6y5s4/W+lN1FyhXs5LtLvbsuSkMlo77t6ClqAPN4qLEKmtezA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474041; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=uo0z6d0WFlrdkclcsARy/YCbK98LsR0KF9SAJMk2pAw=; b=Arb6Rpi4HAXhVmiUw4pLtVti41E1b+I8iQS8ZUasdKJMyydeT61PykFDSyqQVA0rA48sqD fhJll5TqOrCNuoNANMl7zSentw3dyyxOkHgEVcXJdKdMltObtWVAHIhlDtCPecLoNRf/W0 aB89/zl8dygB7LEqNdGQ1XjOP60940QWKIFiNDG76gwu89nMoXbPYy9nCTSnxB+R/FGRS0 2OkpYoMUFA3rWOX8OZgV1F5w0qKs621XohAizV+KTtLOYMAXDKUSTZHuWTXK/svlpKXSrB 5UUXePhemdrlcer/Sogbpq9xAmbIDUXLSDkAVh/bqzk2g8KiqSik6chgUJ/MDQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5Ks52NmZzl77 for ; Wed, 29 Apr 2026 14:47:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ceb3 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:47:21 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: 8008e4b88daf - main - dhclient: Check for unexpected characters in some DHCP server options List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 8008e4b88daf37015d16c4ac709b91804b586575 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:47:21 +0000 Message-Id: <69f219f9.3ceb3.44cf7042@gitrepo.freebsd.org> The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=8008e4b88daf37015d16c4ac709b91804b586575 commit 8008e4b88daf37015d16c4ac709b91804b586575 Author: Mark Johnston AuthorDate: 2026-04-27 20:03:09 +0000 Commit: Mark Johnston CommitDate: 2026-04-29 14:39:27 +0000 dhclient: Check for unexpected characters in some DHCP server options Some options are written directly to the lease file, which may be parsed by subsequent dhclient invocations. We must make sure that a malicious server can't control the "medium" field of a lease definition, otherwise they can achieve RCE by injecting one into the lease file, whereupon it will be passed to dhclient-script, which passes it through eval. Approved by: so Security: FreeBSD-SA-26:12.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) --- sbin/dhclient/dhclient.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index 5d2a7453578b..719e20cffad9 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -1226,6 +1226,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN); lease->server_name[DHCP_SNAME_LEN]='\0'; + if (strchr(lease->server_name, '"') != NULL || + strchr(lease->server_name, '\\') != NULL) { + warning("dhcpoffer: server name contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } /* Ditto for the filename. */ @@ -1241,6 +1247,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN); lease->filename[DHCP_FILE_LEN]='\0'; + if (strchr(lease->filename, '"') != NULL || + strchr(lease->filename, '\\') != NULL) { + warning("dhcpoffer: filename contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } return lease; }