From nobody Wed Apr 29 14:48:28 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5KtP5BWqz6bkTd for ; Wed, 29 Apr 2026 14:48:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5KtP1YlYz4K35 for ; Wed, 29 Apr 2026 14:48:29 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474109; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iyyLuNUH2p4azF9dUwQ7A5vHKChkDV0CR6uo0dgvc4E=; b=xNyHvfyKcNaSJoWmEIjxGC35B53EiZp56IPdOQpqxfBXZGApA50J3FjWPUpQ1qiNF/Ee0l 8Ful9ppx7u8h+HWxWT2WrSSEg3/EFGhna5RN1ujFneiQETGR2Q8n+iJLyNgmaOUxna3+LX i8Pn5HsLo6zjfrN3QEbmnKAuG/voONOaUeWXCX+wNvXtH6i7NVBZIJA2sDlzAuSPml/HXZ tsVoSxcOcs1Xc0Zdtv5I18XeVxVPpGc6sBUlGVH1XBiFtgtp6OZ9tIpAd1wes99ypvStGN DccjAFh6UcAHZZN6scl+e7ZbMcf9lxSbQiCA5zTImwaD7Tc5jJ26r0IlalsjkA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474109; a=rsa-sha256; cv=none; b=v+wB+gjVIBXL6/CQhHsxkxIHLf1mSK9hX3ZGB2IpDYVgeyjXFZcMzkfk0CHKiO1Qjumla1 tTolbj9Hvc9DCzIeL1K8qhbzc25vdzQsCIIUBRtzTcnfqz55McF2qQVpNyJ0VeOLOZlIy0 2UlrSpND8QWyeMi4xjYdmFF9Okepg3NE0gDewCWTTVQ32q7Mgf7wjqPzRYvhvOF2rO7mLr liyO+AqMWyJbX8FL4oc9CW2hLkUtuxeUcGAuNMBpxsS6cUb8cvt63ep5R6mhQJebkGf+FT lNW4ZGQ5h9ituKesAx/B+uxd4+WzGbRX6mG9k2dEMRvr6wOBQDLhnB1pPKP4Tg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474109; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iyyLuNUH2p4azF9dUwQ7A5vHKChkDV0CR6uo0dgvc4E=; b=YfgZOP1BM7GZRWghW/faVxvqI8atSfcyvX83hF9aog0hQoQR1VzzEDQw24Yr/LLdJOvP/i KUkgrLw+cKf0sz2AYFByYRyt982CzJJS0VGWz8qvojw3o5kE8rUjPzHfccj3wwlRE5eEjV L9h15xCJ2y44JRAT+Th7SKtXkD/g6w2as4RvnyyCrD/6R5QcERFp6EPlSucFC65d5tvdWQ /Ka4COXPHuC4as1AMhn41vleeGdBACIrpmJGXlCKTCNpAVr8beetK6qwM15GMmofm6CJAd VqUvU9wMBfB6T9a7wCMOmO2dcr/a6IMhSXeuB90trm0dgtUcC7/IcYc70sx5Uw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5KtN6yHXzl5s for ; Wed, 29 Apr 2026 14:48:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3c6e3 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:48:28 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: e7b4fb41aafa - releng/15.0 - dhclient: Check for unexpected characters in some DHCP server options List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/15.0 X-Git-Reftype: branch X-Git-Commit: e7b4fb41aafaf6ccb4ff14684416223c1f6f92e8 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:48:28 +0000 Message-Id: <69f21a3c.3c6e3.34f90705@gitrepo.freebsd.org> The branch releng/15.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=e7b4fb41aafaf6ccb4ff14684416223c1f6f92e8 commit e7b4fb41aafaf6ccb4ff14684416223c1f6f92e8 Author: Mark Johnston AuthorDate: 2026-04-27 20:03:09 +0000 Commit: Mark Johnston CommitDate: 2026-04-28 19:27:11 +0000 dhclient: Check for unexpected characters in some DHCP server options Some options are written directly to the lease file, which may be parsed by subsequent dhclient invocations. We must make sure that a malicious server can't control the "medium" field of a lease definition, otherwise they can achieve RCE by injecting one into the lease file, whereupon it will be passed to dhclient-script, which passes it through eval. Approved by: so Security: FreeBSD-SA-26:12.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) --- sbin/dhclient/dhclient.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index 5d2a7453578b..719e20cffad9 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -1226,6 +1226,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN); lease->server_name[DHCP_SNAME_LEN]='\0'; + if (strchr(lease->server_name, '"') != NULL || + strchr(lease->server_name, '\\') != NULL) { + warning("dhcpoffer: server name contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } /* Ditto for the filename. */ @@ -1241,6 +1247,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN); lease->filename[DHCP_FILE_LEN]='\0'; + if (strchr(lease->filename, '"') != NULL || + strchr(lease->filename, '\\') != NULL) { + warning("dhcpoffer: filename contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } return lease; }