From nobody Wed Apr 29 23:08:49 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5Y041zLHz6c8DY
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Wed, 29 Apr 2026 23:09:08 +0000 (UTC)
	(envelope-from gordon@tetlows.org)
Received: from outbound.st.icloud.com (p-east2-cluster5-host11-snip4-10.eps.apple.com [57.103.79.73])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4g5Y035cFLz43Tb
	for <dev-commits-src-all@freebsd.org>; Wed, 29 Apr 2026 23:09:07 +0000 (UTC)
	(envelope-from gordon@tetlows.org)
Authentication-Results: mx1.freebsd.org;
	none
Received: from outbound.st.icloud.com (unknown [127.0.0.2])
	by p00-icloudmta-asmtp-us-east-1a-60-percent-8 (Postfix) with ESMTPS id E1F0E18005D5;
	Wed, 29 Apr 2026 23:09:04 +0000 (UTC)
X-ICL-Out-Info: HUtFAUMHWwJACUgATUQeDx5WFlZNRAJCTQhLBUMFWQReD08dXgVLVxQEH1wfUwRcME0dRwFYHEFeVgpUTVEPDxdWClcCWStGFU0UXBpERV0CXlhBDgpfEhhcFFxQWB5GElYNXQkZGEZeUBtfAkIPHBNWFRMdQxkPKwhKBEMHRQJeCyUTCVNWRhVNFFwaREVdAl5YXgRTVg5EfE9yL3IpCl0IPXZbGl9xNH9VCisCUx8yfUpwXXJbcDYBOwQtQw5GHFYPQENYGVVOGQxKHVJWUQVKDFwAaA9dHVgRXQ==
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=sig1; t=1777504147; x=1780096147; bh=u6TxNcnoNRZ6Q3W94WYguAOYkNdfV2pxaCTCzrT3AZs=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type:x-icloud-hme; b=dc1PDqCNey4gxRkve6OQ2YBxHWyvkgH6YHeCDqO82Du8DtpVMzvUuD5isSx2akQunephldmvcl6SndyHYr4yBe0yzzw3MOPMLy+pvKKvKlR1eje8/buAu18lNHkhb3V2Bpx2HVrPCwjk7K68hQcDRlFPzjvgT4x44/dig4rIz6LdWVH/bSjE7ByQpuLb7bMTShY52+NqxwYDRHorUzWv2lN1H6fFCYmtIP1oHEwWIlMwt8KNlWpA+M172Vu3LoIyhGXQTFaYcpMOYVLBlyV0tTO+TFVtZDzHFummUPVW9+mWBvfDcRbmhq/iYi9SaFQbPbq0DoCAz6Fd/7pmCuZY5w==
mail-alias-created-date: 1644526483486
Received: from [10.0.91.201] (unknown [17.42.251.67])
	by p00-icloudmta-asmtp-us-east-1a-60-percent-8 (Postfix) with ESMTPSA id B2BAD18001A8;
	Wed, 29 Apr 2026 23:09:03 +0000 (UTC)
From: Gordon Tetlow <gordon@tetlows.org>
To: Mark Johnston <markj@FreeBSD.org>
Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-main@FreeBSD.org
Subject: Re: git: 5d8e32aad2a8 - main - dhclient: Fix reallocation of dhclient
 script environments [CORRECTION: CVE ID]
Date: Wed, 29 Apr 2026 16:08:49 -0700
X-Mailer: MailMate (2.0r6290)
Message-ID: <4E7ABEB8-1EE6-4CDF-9F58-BD2C0E0BF8C7@tetlows.org>
In-Reply-To: <69f219fa.3c9fa.1698d8e9@gitrepo.freebsd.org>
References: <69f219fa.3c9fa.1698d8e9@gitrepo.freebsd.org>
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="=_MailMate_3CC71C42-3365-407B-A65D-9A50A317D68E_="
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDI5MDIzMiBTYWx0ZWRfX339FFDG/9V+g
 moIIDc2YL2rz3eIuSNMkvPZxgBSASsjEyZLiAWfwTZmC46aZZ2KmMqmm45HU2ETH+OF0b5HTvul
 gvQq+llCAdARnH8wqbwDI0FR/z8oNQ1dlzRHhm4SZQn6kIp+YVGcCksOcsD1Nv0vDPncHoKvQVt
 p0svCp7hmKvbBW4Q49sjyPwRQrTUEf3CwBu3GeJbT/vFNg5z6cjqAG4/BrsbOEEGOqc/pXZ+k1F
 H6l0RHXoyoVaR1r/WMhCRQ+zu8ct6fS8kSkEWuzMjetq6vf/2861a8yVdYfb3pXngWc/0DZxwox
 3QCxWpaq73v/Ll5NrlOiEV4BiCikx6MVK+6kew6VvpRii/vHLWNKCFrhJ8AXdE=
X-Authority-Info-Out: v=2.4 cv=TdubdBQh c=1 sm=1 tr=0 ts=69f28f91
 cx=c_apl:c_pps:t_out a=YrL12D//S6tul8v/L+6tKg==:117
 a=YrL12D//S6tul8v/L+6tKg==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22
 a=6I5d2MoRAAAA:8 a=HtMMSBS6AAAA:8 a=UghPakCpTqNVHR-CyBAA:9
 a=0TvrncBlVATwO1KYlu8A:9 a=fh0FBR6ccRO4yDtf:21 a=_W_S_7VecoQA:10
 a=lqcHg5cX4UMA:10 a=3ROuUYzoJtXnwiIsu5Kl:22
X-Proofpoint-ORIG-GUID: 0MjnBY9cumts_zNOjCk3f3fUpnOhlxeX
X-Proofpoint-GUID: 0MjnBY9cumts_zNOjCk3f3fUpnOhlxeX
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:714, ipnet:57.103.76.0/22, country:US]
X-Rspamd-Queue-Id: 4g5Y035cFLz43Tb
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated


--=_MailMate_3CC71C42-3365-407B-A65D-9A50A317D68E_=
Content-Type: text/plain; format=flowed; markup=markdown
Content-Transfer-Encoding: quoted-printable

This commit as well as the corresponding stable and releng branch =

commits were incorrectly tagged CVE-2026-42511 and should be =

CVE-2026-42512. Apologies for the mix up there.

Best regards,
Gordon
Hat: security-officer

On 29 Apr 2026, at 7:47, Mark Johnston wrote:

> The branch main has been updated by markj:
>
> URL: =

> https://cgit.FreeBSD.org/src/commit/?id=3D5d8e32aad2a8316b0aab8a93a677a=
63e4c3df422
>
> commit 5d8e32aad2a8316b0aab8a93a677a63e4c3df422
> Author:     Mark Johnston <markj@FreeBSD.org>
> AuthorDate: 2026-04-27 20:56:21 +0000
> Commit:     Mark Johnston <markj@FreeBSD.org>
> CommitDate: 2026-04-29 14:39:27 +0000
>
>     dhclient: Fix reallocation of dhclient script environments
>
>     When the number of DHCP options exceeds a threshold, =

> script_set_env()
>     will reallocate the environment, stored as an array of pointers.  =

> The
>     calculation of the array size failed to multiply by the pointer =

> size,
>     resulting in a smaller than expected buffer which admits =

> out-of-bounds
>     writes.
>
>     Approved by:    so
>     Security:       FreeBSD-SA-26:15.dhclient
>     Security:       CVE-2026-42511
>     Reported by:    Joshua Rogers of AISLE Research Team =

> (https://aisle.com/)
> ---
>  sbin/dhclient/dhclient.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
> index 719e20cffad9..f671b0ab9bed 100644
> --- a/sbin/dhclient/dhclient.c
> +++ b/sbin/dhclient/dhclient.c
> @@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, =

> const char *prefix,
>  			char **newscriptEnv;
>  			int newscriptEnvsize =3D client->scriptEnvsize + 50;
>
> -			newscriptEnv =3D realloc(client->scriptEnv,
> -			    newscriptEnvsize);
> +			newscriptEnv =3D reallocarray(client->scriptEnv,
> +			    newscriptEnvsize, sizeof(char *));
>  			if (newscriptEnv =3D=3D NULL) {
>  				free(client->scriptEnv);
>  				client->scriptEnv =3D NULL;

--=_MailMate_3CC71C42-3365-407B-A65D-9A50A317D68E_=
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/xhtml; charset=3Dutf-8"=
>
</head>
<body><div style=3D"font-family: sans-serif;"><div class=3D"markdown" sty=
le=3D"white-space: normal;">
<p dir=3D"auto">This commit as well as the corresponding stable and relen=
g branch commits were incorrectly tagged CVE-2026-42511 and should be CVE=
-2026-42512. Apologies for the mix up there.</p>
<p dir=3D"auto">Best regards,<br>
Gordon<br>
Hat: security-officer</p>
<p dir=3D"auto">On 29 Apr 2026, at 7:47, Mark Johnston wrote:</p>
<blockquote style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px=
 solid #777777; color: #777777;">
<p dir=3D"auto">The branch main has been updated by markj:</p>
<p dir=3D"auto">URL: <a href=3D"https://cgit.FreeBSD.org/src/commit/?id=3D=
5d8e32aad2a8316b0aab8a93a677a63e4c3df422" style=3D"color: #777777;">https=
://cgit.FreeBSD.org/src/commit/?id=3D5d8e32aad2a8316b0aab8a93a677a63e4c3d=
f422</a></p>
<p dir=3D"auto">commit 5d8e32aad2a8316b0aab8a93a677a63e4c3df422<br>
Author:     Mark Johnston <a href=3D"mailto:markj@FreeBSD.org" style=3D"c=
olor: #777777;">markj@FreeBSD.org</a><br>
AuthorDate: 2026-04-27 20:56:21 +0000<br>
Commit:     Mark Johnston <a href=3D"mailto:markj@FreeBSD.org" style=3D"c=
olor: #777777;">markj@FreeBSD.org</a><br>
CommitDate: 2026-04-29 14:39:27 +0000</p>
<pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; backgr=
ound-color: #F7F7F7; border-radius: 5px 5px 5px 5px; overflow-x: auto; ma=
x-width: 90vw;"><code style=3D"margin: 0 0; border-radius: 3px; backgroun=
d-color: #F7F7F7; padding: 0px;">dhclient: Fix reallocation of dhclient s=
cript environments

When the number of DHCP options exceeds a threshold, script_set_env()
will reallocate the environment, stored as an array of pointers.  The
calculation of the array size failed to multiply by the pointer size,
resulting in a smaller than expected buffer which admits out-of-bounds
writes.

Approved by:    so
Security:       FreeBSD-SA-26:15.dhclient
Security:       CVE-2026-42511
Reported by:    Joshua Rogers of AISLE Research Team (https://aisle.com/)=

</code></pre>
<hr style=3D"border: 0; height: 1px; background: #333; background-image: =
linear-gradient(to right, #ccc, #333, #ccc);">
<p dir=3D"auto">sbin/dhclient/dhclient.c | 4 ++--<br>
1 file changed, 2 insertions(+), 2 deletions(-)</p>
<p dir=3D"auto">diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhc=
lient.c<br>
index 719e20cffad9..f671b0ab9bed 100644<br>
--- a/sbin/dhclient/dhclient.c<br>
+++ b/sbin/dhclient/dhclient.c<br>
@@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, const c=
har *prefix,<br>
char **newscriptEnv;<br>
int newscriptEnvsize =3D client-&gt;scriptEnvsize + 50;</p>
<ul>
<li>
<pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; backgr=
ound-color: #F7F7F7; border-radius: 5px 5px 5px 5px; overflow-x: auto; ma=
x-width: 90vw;"><code style=3D"margin: 0 0; border-radius: 3px; backgroun=
d-color: #F7F7F7; padding: 0px;">	newscriptEnv =3D realloc(client-&gt;scr=
iptEnv,
</code></pre>
</li>
<li>
<pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; backgr=
ound-color: #F7F7F7; border-radius: 5px 5px 5px 5px; overflow-x: auto; ma=
x-width: 90vw;"><code style=3D"margin: 0 0; border-radius: 3px; backgroun=
d-color: #F7F7F7; padding: 0px;">	    newscriptEnvsize);
</code></pre>
</li>
</ul>
<ul>
<li>
<pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; backgr=
ound-color: #F7F7F7; border-radius: 5px 5px 5px 5px; overflow-x: auto; ma=
x-width: 90vw;"><code style=3D"margin: 0 0; border-radius: 3px; backgroun=
d-color: #F7F7F7; padding: 0px;">	newscriptEnv =3D reallocarray(client-&g=
t;scriptEnv,
</code></pre>
</li>
<li>
<pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; backgr=
ound-color: #F7F7F7; border-radius: 5px 5px 5px 5px; overflow-x: auto; ma=
x-width: 90vw;"><code style=3D"margin: 0 0; border-radius: 3px; backgroun=
d-color: #F7F7F7; padding: 0px;">	    newscriptEnvsize, sizeof(char *));
	if (newscriptEnv =3D=3D NULL) {
		free(client-&gt;scriptEnv);
		client-&gt;scriptEnv =3D NULL;
</code></pre>
</li>
</ul>
</blockquote>

</div>
</div>
</body>

</html>

--=_MailMate_3CC71C42-3365-407B-A65D-9A50A317D68E_=--