From nobody Wed Apr 29 14:49:22 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5KvS1vtFz6bkrl for ; Wed, 29 Apr 2026 14:49:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5KvR4d3dz4KTw for ; Wed, 29 Apr 2026 14:49:23 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jiyqGvurskZmcq8L+ZzljFex08Ro9w79z/oYG39v3Ow=; b=O2pFBPqNrITvF1bqFXqQ+RKEr1k3wrzMiqUoSo/QrqHdDMoSlhzkjvoA1Wyr6gDsH6eBc7 Ni3x4wmrtGZbQz9e7hDtW8DxZJmXtineVr0GHpGzkMriw5v+McpN/acLUqiFT4AVvEcMdY qCcSh42Q+aexXhG9OsUZjcyol5iZbvmbXH3d+ruuOigmerwS2rXuo721k/zwgQ3UyOwuYt m2RN5PIvteFU9LwEDZH2A2Ia/hF7kCsnm6cUzg/+F52I4cMEvmGQ+Oui4aVVpcijVlmhKZ FD/7hAfbzMcUi/icZNjJZlKDP/dym5Mll0KG0TMKNigmxhYqcd0P7wsuggCXmg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474163; a=rsa-sha256; cv=none; b=LAV/KwaI3lfxHc5eW3z+3ea4UaWE/q2X8fAjyJi8FdbXSun4EMRVmSyikhtLHP0UzIoH+m xopZNQbDsrlBysipKFN6jaRvJhRiON+k+82DcOr0/w3m0JRMOvd8+8xPs2Wb7Ckr/NJLxc p77/PfVRXmFOGr0oFSJ08+Z6K8/URG00vNEMHfwgxGnjWwn3F73xeg9G7QGiXXG8Z5mC1Z oWz26UVB8BlIKRbHvf4c7zhVnMrLZDC6tZmj3AEcSvG/b3JMJ/tnsqW5UsaWSPLoPnRuHu 7Zt98pQ+HWTVvZBHk4hvdw45EoFrO5FoULJ2TFWb36kYXKohDlC70YwE/lQvDw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474163; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jiyqGvurskZmcq8L+ZzljFex08Ro9w79z/oYG39v3Ow=; b=eWgG4TfWAiaOrxnq9IV2Udi3mZ2xUSwDeR5gbV5W9BcotIwMSXXzONz1ibgyK+QyhF+IjY ZUZHNkbH54ZPrxTd65Y0rU2MfJTPUBhJQVv03wnjThysLvB0dse1BiBm7GlNtUJ3vkTne+ xxWDnO3XPxNpRHONF2j/YkF448EmnbQ8ivm57GIziStDvOoSvdQtrUZY9zlBgbEeLr+gAd zQ+fcMSVL3kMpDbqfeN1lSdh4v4c2Tfx5qlUeOlRnDusgV6Yxp6BRqC9TJAGj4GD+k1elN mPi9Ff8tjJOkqQeD87Vs02kETYq2ouY+T0tdw1KUpTKhOfaGidgzBRignn22tw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5KvR2zvdzlbg for ; Wed, 29 Apr 2026 14:49:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3c7a1 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:49:22 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: dda71167a101 - releng/14.3 - dhclient: Check for unexpected characters in some DHCP server options List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.3 X-Git-Reftype: branch X-Git-Commit: dda71167a1013aceb1c4236a9297a24dd62754ac Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:49:22 +0000 Message-Id: <69f21a72.3c7a1.5d8245e7@gitrepo.freebsd.org> The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=dda71167a1013aceb1c4236a9297a24dd62754ac commit dda71167a1013aceb1c4236a9297a24dd62754ac Author: Mark Johnston AuthorDate: 2026-04-27 20:03:09 +0000 Commit: Mark Johnston CommitDate: 2026-04-28 20:33:04 +0000 dhclient: Check for unexpected characters in some DHCP server options Some options are written directly to the lease file, which may be parsed by subsequent dhclient invocations. We must make sure that a malicious server can't control the "medium" field of a lease definition, otherwise they can achieve RCE by injecting one into the lease file, whereupon it will be passed to dhclient-script, which passes it through eval. Approved by: so Security: FreeBSD-SA-26:12.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) --- sbin/dhclient/dhclient.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index cbab3fa2973c..01ef38530cdf 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -1226,6 +1226,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN); lease->server_name[DHCP_SNAME_LEN]='\0'; + if (strchr(lease->server_name, '"') != NULL || + strchr(lease->server_name, '\\') != NULL) { + warning("dhcpoffer: server name contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } /* Ditto for the filename. */ @@ -1241,6 +1247,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN); lease->filename[DHCP_FILE_LEN]='\0'; + if (strchr(lease->filename, '"') != NULL || + strchr(lease->filename, '\\') != NULL) { + warning("dhcpoffer: filename contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } return lease; }