FreeBSD Mail Archives

Date:      Wed, 29 Apr 2026 16:08:49 -0700
From:      Gordon Tetlow <gordon@tetlows.org>
To:        Mark Johnston <markj@FreeBSD.org>
Cc:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   Re: git: 5d8e32aad2a8 - main - dhclient: Fix reallocation of dhclient script environments [CORRECTION: CVE ID]
Message-ID:  <4E7ABEB8-1EE6-4CDF-9F58-BD2C0E0BF8C7@tetlows.org>
In-Reply-To: <69f219fa.3c9fa.1698d8e9@gitrepo.freebsd.org>

index | next in thread | previous in thread | raw e-mail

[-- Attachment #1 --]
This commit as well as the corresponding stable and releng branch 
commits were incorrectly tagged CVE-2026-42511 and should be 
CVE-2026-42512. Apologies for the mix up there.

Best regards,
Gordon
Hat: security-officer

On 29 Apr 2026, at 7:47, Mark Johnston wrote:

> The branch main has been updated by markj:
>
> URL: 
> https://cgit.FreeBSD.org/src/commit/?id=5d8e32aad2a8316b0aab8a93a677a63e4c3df422
>
> commit 5d8e32aad2a8316b0aab8a93a677a63e4c3df422
> Author:     Mark Johnston <markj@FreeBSD.org>
> AuthorDate: 2026-04-27 20:56:21 +0000
> Commit:     Mark Johnston <markj@FreeBSD.org>
> CommitDate: 2026-04-29 14:39:27 +0000
>
>     dhclient: Fix reallocation of dhclient script environments
>
>     When the number of DHCP options exceeds a threshold, 
> script_set_env()
>     will reallocate the environment, stored as an array of pointers.  
> The
>     calculation of the array size failed to multiply by the pointer 
> size,
>     resulting in a smaller than expected buffer which admits 
> out-of-bounds
>     writes.
>
>     Approved by:    so
>     Security:       FreeBSD-SA-26:15.dhclient
>     Security:       CVE-2026-42511
>     Reported by:    Joshua Rogers of AISLE Research Team 
> (https://aisle.com/)
> ---
>  sbin/dhclient/dhclient.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
> index 719e20cffad9..f671b0ab9bed 100644
> --- a/sbin/dhclient/dhclient.c
> +++ b/sbin/dhclient/dhclient.c
> @@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, 
> const char *prefix,
>  			char **newscriptEnv;
>  			int newscriptEnvsize = client->scriptEnvsize + 50;
>
> -			newscriptEnv = realloc(client->scriptEnv,
> -			    newscriptEnvsize);
> +			newscriptEnv = reallocarray(client->scriptEnv,
> +			    newscriptEnvsize, sizeof(char *));
>  			if (newscriptEnv == NULL) {
>  				free(client->scriptEnv);
>  				client->scriptEnv = NULL;

[-- Attachment #2 --]
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/xhtml; charset=utf-8">
</head>
<body><div style="font-family: sans-serif;"><div class="markdown" style="white-space: normal;">
<p dir="auto">This commit as well as the corresponding stable and releng branch commits were incorrectly tagged CVE-2026-42511 and should be CVE-2026-42512. Apologies for the mix up there.</p>
<p dir="auto">Best regards,<br>
Gordon<br>
Hat: security-officer</p>
<p dir="auto">On 29 Apr 2026, at 7:47, Mark Johnston wrote:</p>
<blockquote style="margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #777777; color: #777777;">
<p dir="auto">The branch main has been updated by markj:</p>
<p dir="auto">URL: <a href="https://cgit.FreeBSD.org/src/commit/?id=5d8e32aad2a8316b0aab8a93a677a63e4c3df422" style="color: #777777;">https://cgit.FreeBSD.org/src/commit/?id=5d8e32aad2a8316b0aab8a93a677a63e4c3df422</a></p>;
<p dir="auto">commit 5d8e32aad2a8316b0aab8a93a677a63e4c3df422<br>
Author:     Mark Johnston <a href="mailto:markj@FreeBSD.org" style="color: #777777;">markj@FreeBSD.org</a><br>
AuthorDate: 2026-04-27 20:56:21 +0000<br>
Commit:     Mark Johnston <a href="mailto:markj@FreeBSD.org" style="color: #777777;">markj@FreeBSD.org</a><br>
CommitDate: 2026-04-29 14:39:27 +0000</p>
<pre style="margin-left: 15px; margin-right: 15px; padding: 5px; background-color: #F7F7F7; border-radius: 5px 5px 5px 5px; overflow-x: auto; max-width: 90vw;"><code style="margin: 0 0; border-radius: 3px; background-color: #F7F7F7; padding: 0px;">dhclient: Fix reallocation of dhclient script environments

When the number of DHCP options exceeds a threshold, script_set_env()
will reallocate the environment, stored as an array of pointers.  The
calculation of the array size failed to multiply by the pointer size,
resulting in a smaller than expected buffer which admits out-of-bounds
writes.

Approved by:    so
Security:       FreeBSD-SA-26:15.dhclient
Security:       CVE-2026-42511
Reported by:    Joshua Rogers of AISLE Research Team (https://aisle.com/)
</code></pre>
<hr style="border: 0; height: 1px; background: #333; background-image: linear-gradient(to right, #ccc, #333, #ccc);">
<p dir="auto">sbin/dhclient/dhclient.c | 4 ++--<br>
1 file changed, 2 insertions(+), 2 deletions(-)</p>
<p dir="auto">diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c<br>
index 719e20cffad9..f671b0ab9bed 100644<br>
--- a/sbin/dhclient/dhclient.c<br>
+++ b/sbin/dhclient/dhclient.c<br>
@@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, const char *prefix,<br>
char **newscriptEnv;<br>
int newscriptEnvsize = client-&gt;scriptEnvsize + 50;</p>
<ul>
<li>
<pre style="margin-left: 15px; margin-right: 15px; padding: 5px; background-color: #F7F7F7; border-radius: 5px 5px 5px 5px; overflow-x: auto; max-width: 90vw;"><code style="margin: 0 0; border-radius: 3px; background-color: #F7F7F7; padding: 0px;">	newscriptEnv = realloc(client-&gt;scriptEnv,
</code></pre>
</li>
<li>
<pre style="margin-left: 15px; margin-right: 15px; padding: 5px; background-color: #F7F7F7; border-radius: 5px 5px 5px 5px; overflow-x: auto; max-width: 90vw;"><code style="margin: 0 0; border-radius: 3px; background-color: #F7F7F7; padding: 0px;">	    newscriptEnvsize);
</code></pre>
</li>
</ul>
<ul>
<li>
<pre style="margin-left: 15px; margin-right: 15px; padding: 5px; background-color: #F7F7F7; border-radius: 5px 5px 5px 5px; overflow-x: auto; max-width: 90vw;"><code style="margin: 0 0; border-radius: 3px; background-color: #F7F7F7; padding: 0px;">	newscriptEnv = reallocarray(client-&gt;scriptEnv,
</code></pre>
</li>
<li>
<pre style="margin-left: 15px; margin-right: 15px; padding: 5px; background-color: #F7F7F7; border-radius: 5px 5px 5px 5px; overflow-x: auto; max-width: 90vw;"><code style="margin: 0 0; border-radius: 3px; background-color: #F7F7F7; padding: 0px;">	    newscriptEnvsize, sizeof(char *));
	if (newscriptEnv == NULL) {
		free(client-&gt;scriptEnv);
		client-&gt;scriptEnv = NULL;
</code></pre>
</li>
</ul>
</blockquote>

</div>
</div>
</body>

</html>

home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E7ABEB8-1EE6-4CDF-9F58-BD2C0E0BF8C7>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation