From nobody Wed Apr 29 14:50:06 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5KwH6kBsz6bky1 for ; Wed, 29 Apr 2026 14:50:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5KwG4CHzz4Klx for ; Wed, 29 Apr 2026 14:50:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474206; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=DjsQT5k5NOD9QOPcfb4fMk52M2b+yOTe8Yi83/64KBo=; b=uFrOhkykXbIumXuOAjTpvStjmDmoENKK8l1yZyqk7MplCUFNERyFoDHVfxB679+TGFtopN Bzgs4icoR+3iaHECNAR985SL77VxCcfE47VDElbDbHqYa+fN2Jee579JBoKLfpA/hsUZpG FEWc97c+TW5gt+WaLdWGzcluECzyZ/cup2mZglgu5q+tF03wX/kMHIVaO+szLY0kZ4r+11 QnI7QRNxOi2jmtvLT0HrDX5cUHoX7SAKfqvrwdcN58J7BgY/36VMWG8TmN7WO+eMogYQUT b8C9hDEZZL/PJ85Dt3eq91Bpphs0MaItVdDS4TCuZ8Fvr1eZogEFn+kb0DFevg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474206; a=rsa-sha256; cv=none; b=MQAOLgm6TtVu9xpNwR//EUcCgP/F6eig1CVRe985um+dZndtAoHoyGXfaKI2HbeXORHrQt csmwvinJ8rUEMbWUJTXY6dp29+w8NlY3ltvVhU3sO8cvIuWFdsMth15LwSNy6FPuz+VsBb RfCy+g9kpok/J9TzuAuTmtY7J2t5kaeUKW9zWMDPGq4T4d08TziM+TkEzwuEVdYMUJv9JN YqkpZ9ma2sE9UtJKADgLiDexQnsf6Yz1JZ6dK/j0aj12wVRa4yz3X46AbO0EJqKfIfyPn3 sgg2rYWzsiOaGZOvavPrVhP1j0jl0wj/cW+dap1TZzM0hb5jcvSAGznhC6lxsw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474206; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=DjsQT5k5NOD9QOPcfb4fMk52M2b+yOTe8Yi83/64KBo=; b=JvFsgPyt2RPh3mi04g4AyVmJru/6dLBMudezqYamSPBOMYFavTuyiqlnoyrzbcg87yG1uG L1tCNSXY9dYDthri4cmOFFOZoxMb73Rcl6zhLbEVR5EIK/Ex8LhPcVwpHpg6wR1xSfhsiN +BL8Gnqi8tNS8vmRhDB0NV6Rl2ox6Vr0t+4qnZonLcLY0tbt1geww3jBYlO9hVusSnc5kX oSX4cnfGMTxqO8OciFzuOcMThJOEEr2QnRYO7G9/ZJCsiQGxQXmwBebNLfkyJl/XT3ZPMq etl/d1KDf8VIbFn2tGjFDq4qive9PXFOTaAzvh4UTenR0SKU4Y4JyqDvTQ804g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5KwG2tmczl7Y for ; Wed, 29 Apr 2026 14:50:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3c8b8 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:50:06 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 46c01e4dd102 - stable/13 - dhclient: Check for unexpected characters in some DHCP server options List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 46c01e4dd1026bee017a86fd9906d2554cd910b6 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:50:06 +0000 Message-Id: <69f21a9e.3c8b8.6ad8346a@gitrepo.freebsd.org> The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=46c01e4dd1026bee017a86fd9906d2554cd910b6 commit 46c01e4dd1026bee017a86fd9906d2554cd910b6 Author: Mark Johnston AuthorDate: 2026-04-27 20:03:09 +0000 Commit: Mark Johnston CommitDate: 2026-04-28 17:06:01 +0000 dhclient: Check for unexpected characters in some DHCP server options Some options are written directly to the lease file, which may be parsed by subsequent dhclient invocations. We must make sure that a malicious server can't control the "medium" field of a lease definition, otherwise they can achieve RCE by injecting one into the lease file, whereupon it will be passed to dhclient-script, which passes it through eval. Approved by: so Security: FreeBSD-SA-26:12.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) --- sbin/dhclient/dhclient.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index 0ac2a493a94f..1af89a534605 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -1217,6 +1217,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN); lease->server_name[DHCP_SNAME_LEN]='\0'; + if (strchr(lease->server_name, '"') != NULL || + strchr(lease->server_name, '\\') != NULL) { + warning("dhcpoffer: server name contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } /* Ditto for the filename. */ @@ -1232,6 +1238,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN); lease->filename[DHCP_FILE_LEN]='\0'; + if (strchr(lease->filename, '"') != NULL || + strchr(lease->filename, '\\') != NULL) { + warning("dhcpoffer: filename contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } return lease; }