FreeBSD Mail Archives

Date:      Wed, 29 Apr 2026 14:47:47 +0000
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 2621f6c5d4ae - stable/15 - dhclient: Check for unexpected characters in some DHCP server options
Message-ID:  <69f21a13.3b7c4.286ada73@gitrepo.freebsd.org>

index | next in thread | raw e-mail


The branch stable/15 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=2621f6c5d4aeb0cef12aab812431a1581b384e06

commit 2621f6c5d4aeb0cef12aab812431a1581b384e06
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-04-27 20:03:09 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-29 14:40:57 +0000

    dhclient: Check for unexpected characters in some DHCP server options
    
    Some options are written directly to the lease file, which may be parsed
    by subsequent dhclient invocations.  We must make sure that a malicious
    server can't control the "medium" field of a lease definition, otherwise
    they can achieve RCE by injecting one into the lease file, whereupon it
    will be passed to dhclient-script, which passes it through eval.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:12.dhclient
    Security:       CVE-2026-42511
    Reported by:    Joshua Rogers of AISLE Research Team (https://aisle.com/)
---
 sbin/dhclient/dhclient.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
index 5d2a7453578b..719e20cffad9 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -1226,6 +1226,12 @@ packet_to_lease(struct packet *packet)
 		}
 		memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN);
 		lease->server_name[DHCP_SNAME_LEN]='\0';
+		if (strchr(lease->server_name, '"') != NULL ||
+		    strchr(lease->server_name, '\\') != NULL) {
+			warning("dhcpoffer: server name contains invalid characters.");
+			free_client_lease(lease);
+			return (NULL);
+		}
 	}
 
 	/* Ditto for the filename. */
@@ -1241,6 +1247,12 @@ packet_to_lease(struct packet *packet)
 		}
 		memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN);
 		lease->filename[DHCP_FILE_LEN]='\0';
+		if (strchr(lease->filename, '"') != NULL ||
+		    strchr(lease->filename, '\\') != NULL) {
+			warning("dhcpoffer: filename contains invalid characters.");
+			free_client_lease(lease);
+			return (NULL);
+		}
 	}
 	return lease;
 }

home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69f21a13.3b7c4.286ada73>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation