From nobody Wed Apr 29 14:49:41 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5Kvr2MbQz6bkxP for ; Wed, 29 Apr 2026 14:49:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5Kvq04pzz4Kdy for ; Wed, 29 Apr 2026 14:49:43 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474183; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=T8DICiYbCQbcIlDIN/rd5+LmpHhfc3L3tWP+M9Yxs7I=; b=LDkOBAugumAbfo8iDSNTTZQvV6CqX3fQflPlp3GfJqkBEedFgIz+YykzEcvLTnXkC8Zkfd OnJKiVFiWBxNv5tGjrelkOPA4O9pafbF+sSYQWHn2fcbN2GUiwlK/ryc3OatvmKSVvyWXg tGHFpEWynIvb4XFA0RgIZkvpKkFB2FbyN87MdS9ROZ8JcvckdC8Yi7Z3WPsV1vb1r4ZnZT wWIG7hMeN0VHVJyfx1UsGfmtelGrTBWljv+I/XG6VionZf3RURws2W0iQ+Cp3BY4CDXETO FRzqULsPwtoUKwIpm57mqtAxNuwK3UX0XhStxS8sdRR8js98+gv1yS7b+bHKCg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474183; a=rsa-sha256; cv=none; b=tNchNb4hKxhjkTfxGMrs+Ot7DRXvBWNyzv3KzOCHM3Sv/GljU26A4Lt2X7QTzY47ySQYiE EyIcoIthc/hzFzuINDL8XktCdGyXPKLxx8IjrSgzDT51Xf1TdQHa6h+7k9PTRNTENQspAR 67W9+wxREGZkWpXjWA8p8Mx17kaFYMzHWikVwzh0uAZUDp+nNPO8qF5VnUSLde/XttX6km 3OqciWEbOvP5Bc3HZvU+BDRQPyO1d+To6V6RqBtLPsb/JxH5QDW173WSYr5PVVxaW5XcsV mwlb2apVbr6x9TczrB3UHKOgz41O80SEL2Xx59ehzTXiamkGNfSBgY+5Su7lWQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474183; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=T8DICiYbCQbcIlDIN/rd5+LmpHhfc3L3tWP+M9Yxs7I=; b=vIf1mibK0KkmMa9G1bBRI0y1Sn/85JHbwAid3G7rM2QQnI0pMsyGnrPgPTax9oFOAVAV1q +jP7sPGj4L428Jiw9IR7XTSi1082FuGQmXcS7fCdrpLR5ZEQAiaH0jSEUp40evFiBNF2oa eJ5YdvRKJk4SuDgVQD2muZv0VJLJRF83OaCza7fpctDLDFcqKmgtUCZSLbfJzKyJiNxTbd Y1dqnLCSvkCormpMbHT3QyTu/oajcsiTK8KWHF0+0nHWE979R1lYy0D4ntCPQp9azb1RW3 stkdjC1+rxTMuVkH9INzI+VruapU4Cf6cIvdb/b+5mfEyuYScidqDwYyj+t42g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5Kvp5SFbzl2v for ; Wed, 29 Apr 2026 14:49:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3b7d0 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:49:41 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 73b801e3b5b3 - releng/14.4 - dhclient: Check for unexpected characters in some DHCP server options List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.4 X-Git-Reftype: branch X-Git-Commit: 73b801e3b5b3b92a9691bda847b2021b2e1d122b Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:49:41 +0000 Message-Id: <69f21a85.3b7d0.7052527c@gitrepo.freebsd.org> The branch releng/14.4 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=73b801e3b5b3b92a9691bda847b2021b2e1d122b commit 73b801e3b5b3b92a9691bda847b2021b2e1d122b Author: Mark Johnston AuthorDate: 2026-04-27 20:03:09 +0000 Commit: Mark Johnston CommitDate: 2026-04-28 20:33:58 +0000 dhclient: Check for unexpected characters in some DHCP server options Some options are written directly to the lease file, which may be parsed by subsequent dhclient invocations. We must make sure that a malicious server can't control the "medium" field of a lease definition, otherwise they can achieve RCE by injecting one into the lease file, whereupon it will be passed to dhclient-script, which passes it through eval. Approved by: so Security: FreeBSD-SA-26:12.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) --- sbin/dhclient/dhclient.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index cbab3fa2973c..01ef38530cdf 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -1226,6 +1226,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN); lease->server_name[DHCP_SNAME_LEN]='\0'; + if (strchr(lease->server_name, '"') != NULL || + strchr(lease->server_name, '\\') != NULL) { + warning("dhcpoffer: server name contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } /* Ditto for the filename. */ @@ -1241,6 +1247,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN); lease->filename[DHCP_FILE_LEN]='\0'; + if (strchr(lease->filename, '"') != NULL || + strchr(lease->filename, '\\') != NULL) { + warning("dhcpoffer: filename contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } return lease; }