From nobody Wed Apr 29 14:50:18 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5KwW2YBfz6bkyB for ; Wed, 29 Apr 2026 14:50:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5KwV5sBdz4KvY for ; Wed, 29 Apr 2026 14:50:18 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474218; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sEUNQweXyqX12gkAJznUW4tz10x3JkqCAYwh+3tr1V0=; b=CCm3blNC2yufWkxM/k9CNyR04cPtz14/f5sq0aNaKyCcR+3mgEy1np7U4zs+V85tdYu+ih gOjYzZWpPJDwUZ2jd4u25CNqz+nF5IU+iGicAXH2qfjb6MSAMjaWpAaNgfvITzHWi/JCNw CJvxLd3G1aqhJFaUOupUnrpM+AgY905EtBSROO+n3H5FadIP1SshOD79MkdB8Dwz4ngadw QwVd5QzSFIce3yFilCpUIZryRB/idDo6OJr0Ohy3pzvZG5s8mF16TQCfQnvCLB7grWX9tj HmQFt72U9yELAQ0+qkUQpfRVc6r9bmVy0fULgcwwLbzvnpmuKmac7dbQHYJPEQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474218; a=rsa-sha256; cv=none; b=bzMhXOmxhoydinwckLf2J2Uxtac3Iz6fiKopCLezCNbh3wa9AXBmNh7ARJ6A3ritSFUgmX gZM6Svq+NABmHS/kCSqmneilP/npa7InfNvwDqeMj7ANJ/duNqx/8hFfLXj7BDl2y68dx+ WFx49Su2nv/CFMicUSCmMf+TFvbz+FIXnv+k3lZIKQNuGhjl1jWZaUrTJsKuYVS3TH9bue woODL2UfoXScLILfYwiYpnA/g21ViXt/5sPcdzAo6TpDiupWoTLYZ7q5V8cyiCasRt23ST dGGXiMctDxZsrwRMC8ZVxygSh5QqTFIsjL3blwgthVWiqwSmvkvbpTRwmRKG7A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474218; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sEUNQweXyqX12gkAJznUW4tz10x3JkqCAYwh+3tr1V0=; b=dcx78Vv93EQddMNhOq0rwB+6W1LNJY4pbvuYJB3VEXifg3sCZiw3Mnnor3psircxMhpfzN lAyW+OyfdFJCOZ8vfxK/afLUXWPAsXyOXupmvUMnTGyKTt7MAIH95b7eQn+vGnNq2d8ZmC +npvZu7r0bIL9OSVrEt3Cz2xyZ1UBzvFFFc1eY0C9fO9jDN27NPKbuIze2Ar+p8IAV/GH/ fLiclPfCRY0ixdIQVihC82WPSw9/svZRNRr7Wb2zTz3GHk6TIZUkOaP0q26LtyDy+4go/q 1Aus7uq7smDpB2EWLXM2Yfx8u1atq5mwyrDYsm0XThIj3bJe6BCh0SGGz3wiAg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5KwV44JhzlLW for ; Wed, 29 Apr 2026 14:50:18 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3d562 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:50:18 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: a2d45189b9ee - releng/13.5 - dhclient: Check for unexpected characters in some DHCP server options List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.5 X-Git-Reftype: branch X-Git-Commit: a2d45189b9eec1ebf33f4ee844c4098c2f345447 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:50:18 +0000 Message-Id: <69f21aaa.3d562.4c74483e@gitrepo.freebsd.org> The branch releng/13.5 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=a2d45189b9eec1ebf33f4ee844c4098c2f345447 commit a2d45189b9eec1ebf33f4ee844c4098c2f345447 Author: Mark Johnston AuthorDate: 2026-04-27 20:03:09 +0000 Commit: Mark Johnston CommitDate: 2026-04-28 20:32:11 +0000 dhclient: Check for unexpected characters in some DHCP server options Some options are written directly to the lease file, which may be parsed by subsequent dhclient invocations. We must make sure that a malicious server can't control the "medium" field of a lease definition, otherwise they can achieve RCE by injecting one into the lease file, whereupon it will be passed to dhclient-script, which passes it through eval. Approved by: so Security: FreeBSD-SA-26:12.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) --- sbin/dhclient/dhclient.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index 141403d8c86b..590b18ee6467 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -1223,6 +1223,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN); lease->server_name[DHCP_SNAME_LEN]='\0'; + if (strchr(lease->server_name, '"') != NULL || + strchr(lease->server_name, '\\') != NULL) { + warning("dhcpoffer: server name contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } /* Ditto for the filename. */ @@ -1238,6 +1244,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN); lease->filename[DHCP_FILE_LEN]='\0'; + if (strchr(lease->filename, '"') != NULL || + strchr(lease->filename, '\\') != NULL) { + warning("dhcpoffer: filename contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } return lease; }