From nobody Fri Jan 30 01:19:54 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f2J8V5JpMz6QS1J
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Fri, 30 Jan 2026 01:19:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4f2J8V3zsrz3QDv
	for <dev-commits-src-all@FreeBSD.org>; Fri, 30 Jan 2026 01:19:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1769735994;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=RcdTi4bq+Y4P9eHARcgZAjzbrQN1YaC2dzHYt8bo8Vo=;
	b=gL6oYcb71pdvZ86ur0/d9Ia66TNiOZ1UOUQ5ey/5TYsMIAX1BZdXHp27fCXHCi+f4qCkA5
	SNLr1/+cZ1RM5pGyYYebH2x68iMhAZv02lqs1jWHN6jnUEAOTv02HllijB38Y73quPFgqn
	jQ2RCd7sCP9mbiGpTIfyninLcKnzRwaEkMie23bzWAFeMLIDmJkfdoUUqFMrc4Q03rkPag
	inf3II9y7Yx5XWH1OuWO6bY34vB1pYn54RjQZETI9jbxqyuU93wVYaWrxV7tKdoMSTDFij
	oJVRYkzgu9OlOYbObdibBKg95HaG3Pj0GU15YoMOAHNuUQ3BNP84qhWzryKIOA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1769735994; a=rsa-sha256; cv=none;
	b=DfkJOetlLLGlZIX2Hjc6p7g3aaSPUJ5mvI6sj85lv4OenRDI/QaLrpgVA2Lrh7N95kCflm
	zMR8UyfSbHv6YjMsRhjCSCArfe7Kyt00CM8GdLTTJDGXpzD53NwUDBm5RCDKYhuy/HSteh
	3+tYIhItMM03be5/EDb4VTJ+oWMlNzmTAyATYOiQoTULY76F48olUhXddafgJgZCV/jVF1
	x8ItLkphIRXrcNCdbdB+8nFblKqOdCjtblhc42l4WQejLIyWmvmdStuw4Jgjaofath0DPN
	Npd4abzs/fDJj2QCPJCx4STfGIJoR6Frgx/nKf7AFoxGWTfpAGGvyqC5/fNCvw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1769735994;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=RcdTi4bq+Y4P9eHARcgZAjzbrQN1YaC2dzHYt8bo8Vo=;
	b=SSk599VdG5/8BVJvBZTH+6+A36iO40d8zOGUH4mwtKLCrY5VXjScBhjD1aObNG4uojZmG8
	/WN+rvu4spyODWFNSFIKmjlsASBWiizepPpgAbtxbK36NifO385J13Ffn5wDb18PlXYNCb
	/xdvNiVHdB1yHtUfvcaSiB7SwxgAeaATXEURzixCAJEHgBe8em54Cima3OsVIYHVWFg8MX
	qOwDnCNjAVkUjwy6vBgAatthMFj2EMkVenR1uyTxaCUndxE49h71zgsspGm3F0XNP2i1PI
	Gr+j1pcDRZmqTwkQYQOv/VkLfGjLJoP2jGtLSmgMs91ysWGWCr/VZIE598TZqg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4f2J8V3QnTz12sR
	for <dev-commits-src-all@FreeBSD.org>; Fri, 30 Jan 2026 01:19:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 2374a
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Fri, 30 Jan 2026 01:19:54 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Jessica Clarke <jrtc27@FreeBSD.org>
Subject: git: d499239dc57b - stable/14 - libc: Don't use uninitialised string for getnetbyaddr[_r](0) DNS lookup
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jrtc27
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: d499239dc57b7faf34e02e874606ba0016ca07b5
Auto-Submitted: auto-generated
Date: Fri, 30 Jan 2026 01:19:54 +0000
Message-Id: <697c073a.2374a.74235ba@gitrepo.freebsd.org>

The branch stable/14 has been updated by jrtc27:

URL: https://cgit.FreeBSD.org/src/commit/?id=d499239dc57b7faf34e02e874606ba0016ca07b5

commit d499239dc57b7faf34e02e874606ba0016ca07b5
Author:     Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2026-01-27 21:44:39 +0000
Commit:     Jessica Clarke <jrtc27@FreeBSD.org>
CommitDate: 2026-01-30 01:19:18 +0000

    libc: Don't use uninitialised string for getnetbyaddr[_r](0) DNS lookup
    
    If net is all-zero, the loop to extract all leading non-zero octets will
    iterate zero times and leave nn with the value 4, which the following
    switch statement to initialise qbuf does not handle. As a result,
    _dns_getnetbyaddr will look up the PTR record for this uninitialised
    string, which will leak the pre-existing contents of that stack memory
    to the DNS resolver and, if remote and not otherwise protected, network.
    
    Note that _dns_getnetbyaddr is only used if nsswitch.conf is configured
    to enable the "dns" source for the "networks" database, which is not the
    default configuration in FreeBSD.
    
    For glibc this same bug, in code also derived from BIND's, was issued
    CVE-2026-0915. This commit adopts the same behaviour as glibc's fix,
    which is to regard a net of 0 as being for 0.0.0.0. Apparently NetBSD
    will return NS_UNAVAIL instead, which may or may not make more sense,
    but in general glibc compatibility tends to cause less friction when
    there's not a good reason to avoid it.
    
    Reviewed by:    markj (secteam)
    Fixes:          1363f04ce1b8 ("get* rework and new bind code")
    MFC after:      1 day
    Security:       Same bug as glibc's CVE-2026-0915
    
    (cherry picked from commit 331316b073505e4794754af1cd0c5ccc578a2bde)
---
 lib/libc/net/getnetbydns.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/libc/net/getnetbydns.c b/lib/libc/net/getnetbydns.c
index f89e22c50571..c8d1797ec531 100644
--- a/lib/libc/net/getnetbydns.c
+++ b/lib/libc/net/getnetbydns.c
@@ -307,6 +307,9 @@ _dns_getnetbyaddr(void *rval, void *cb_data, va_list ap)
 	for (nn = 4, net2 = net; net2; net2 >>= 8)
 		netbr[--nn] = net2 & 0xff;
 	switch (nn) {
+	case 4: 	/* net was all-zero i.e. 0.0.0.0 */
+		sprintf(qbuf, "0.0.0.0.in-addr.arpa");
+		break;
 	case 3: 	/* Class A */
 		sprintf(qbuf, "0.0.0.%u.in-addr.arpa", netbr[3]);
 		break;