From nobody Wed Apr 29 14:48:50 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5Ktr26Jwz6bkby for ; Wed, 29 Apr 2026 14:48:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5Ktq6jYWz4K8c for ; Wed, 29 Apr 2026 14:48:51 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474131; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hKIe+rxdY1Q/kk0mAEpmaTduZlZbel9z56lnOgSwPuQ=; b=mhesK4A+tvy2eaLUpUgleq1QMJmz7vhznPA8FtSQBGHpM8f2HtQizW3kSZ2aaImwBYcAMc /TW7CmriaeMeElodlr3jGMlIPaVUxBhg8VH7ihPPQSb3+ZglcI3ULBMJ9YIc3fdvKFtMkv 4FUbteSdkH90hDIocKrDr0AxyEJqGaGYmFm+eZfr9ZsCbhCMvpWCMXD+zeKzCIazeFgSEg X6fbOd6IO7aTkZEbMG2x8znnV9nfptA9wxq/QfkWud+YC0FQbfvXJds3cXRCr0MfJyUYDC COKJCF/UocINS18wtACM78W+IYpjxYAAIQRWxac3A6Y+WN2O1nyGPYDjyO5ERw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474131; a=rsa-sha256; cv=none; b=W3vWv6sydSLkzPhcefXHRzHWrLLndmbWPKu31ILamgnIPRvk3n/oWXNDcr4knvInQgPwzI GA/Fzmq52UxeDvC8ZxOj/9iN+lbMLomNRJFmkWTP9ePJuHN4XVzCI4LfIRddcEHVtnr7wO RbVeTMhMFcERuG+s26yZUhsri2fHAO7QDnzv96HlZ3gKK6EoLl44U9J40BmMt8TKQvvGUa WNcMErDyCZRtCS7OAII+ciXb59VF8YSnbjq8X3+sUl2AFrokwtTuTaVmAq4mJQvZ89CxC0 JqOiY8eTfxbr90hciK+5E+PJeAncPw5GMHVLXtSmNhNo95Saq2Mn/9DtAPRdEA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474131; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hKIe+rxdY1Q/kk0mAEpmaTduZlZbel9z56lnOgSwPuQ=; b=RI5myA+4uCOvlD2vAtYmRLc05luB2N4VxH3RX3BeRGvn+KAnwfVfN1WL01np7O53m66U0N zgBxZhTa06nUY3WuWYL8pLE0rq/mAPWjh0NTVRHaxYupL3GJfnKyIH2J9GLHotHg/z/R0L XDbCLbTpFi5FB83LQjeUFwOyoFqsQaMIJtaSqrAVI7qC4nwAccxWlDI21vV1QCN+1ASkXQ xpeCvaPKsvWQYQ9Ktq4Ow9YbNph741BFlRW6BX+d2TAfQSQfqQ5bgoYxV1FJZgK3wC7SV2 R88t0mY+2d1beDpzoWdK1oXtHy65gJka+wsaVRCpEsuinSzZeQc0M1A26PZ/qQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5Ktp71GVzl7J for ; Wed, 29 Apr 2026 14:48:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ae6b by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:48:50 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: b3087e05e848 - stable/14 - dhclient: Check for unexpected characters in some DHCP server options List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: b3087e05e848405c3b9c8577a86fed173f3a8a42 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:48:50 +0000 Message-Id: <69f21a52.3ae6b.5b7b212b@gitrepo.freebsd.org> The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=b3087e05e848405c3b9c8577a86fed173f3a8a42 commit b3087e05e848405c3b9c8577a86fed173f3a8a42 Author: Mark Johnston AuthorDate: 2026-04-27 20:03:09 +0000 Commit: Mark Johnston CommitDate: 2026-04-29 14:45:04 +0000 dhclient: Check for unexpected characters in some DHCP server options Some options are written directly to the lease file, which may be parsed by subsequent dhclient invocations. We must make sure that a malicious server can't control the "medium" field of a lease definition, otherwise they can achieve RCE by injecting one into the lease file, whereupon it will be passed to dhclient-script, which passes it through eval. Approved by: so Security: FreeBSD-SA-26:12.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) --- sbin/dhclient/dhclient.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index cbab3fa2973c..01ef38530cdf 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -1226,6 +1226,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN); lease->server_name[DHCP_SNAME_LEN]='\0'; + if (strchr(lease->server_name, '"') != NULL || + strchr(lease->server_name, '\\') != NULL) { + warning("dhcpoffer: server name contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } /* Ditto for the filename. */ @@ -1241,6 +1247,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN); lease->filename[DHCP_FILE_LEN]='\0'; + if (strchr(lease->filename, '"') != NULL || + strchr(lease->filename, '\\') != NULL) { + warning("dhcpoffer: filename contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } return lease; }