bsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5Ksd03D9z4JVd for ; Wed, 29 Apr 2026 14:47:48 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474069; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6WnNb5NF84nn/ZyTBYJIUpx3mmn06TrTRk/5XRksu4k=; b=ItCIFDch56+Ee/KRquCetz7hpkGUPzGxl2jSjQGzaVqYT6Ur5pCo6OIqckSEIBkCusDdGm Iktyg50cmEWsM2+fegcWUX6exsXZiWeMBSVv6erh+tNROnMc6F4w+Mu8FZVNlNJRmJmbLf nrp/4T1cScnhQlO82OYoO+kmIJKrs8dXFphKPFgkK6bAvy5R1d0WFYZCtZq4Zl2lBLXZLj ZLRfqXdrNprMFFzKykbbp5JIrnWJUw/9rCXzkiEH34biSaWOsS8Z/69PAVCTAxsDV6J5ns EAaJM4ymSfImyoGe8+p0s6Siccp/ERGvwGTk+oGi3t69TWt7kUGlywqwfualLw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474069; a=rsa-sha256; cv=none; b=E0++UPEpH8+Cr02Itfm7zP0VOdtDon6SOkvNNbYDJeSbJbEOC6pH3i61LWNa8rMJlR2ZBD pbhaomMkp/Zzc+MKz7ujmYnUPXQunO9dGxgu1b3CNt/6tUHiKeGTvoIQT/9MSRug9fTumM hVHzs5s1o/1l2MsrJNRpAtIiAoXD0DOGQpwDwscYXGP7BOTMivaH8pMC9wK4TaIov7fbdW IQoE/lA8SsfqdOSL1eLlBTVmwfYqmntj73x3h+sQwD8NQpVCufzeLcKxXSfZwpccb5wK5A ijzp2jfKmn4AUO+I8Rc9DCs7JRZn/iv6n+X1p/xlRdg4XQtz+fWvcYLcovTHlQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474069; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6WnNb5NF84nn/ZyTBYJIUpx3mmn06TrTRk/5XRksu4k=; b=eLmlhcy0ImdqcBoDbLFHOdpuSn7UCGBhHHbEydEq/zcWe3w8qo0EHHsTD26WgwL7ef9Zn8 VS+EMdso4TMo0dsKchcVZZg31CqkVVooHCryJqtlUX7n02lo0CAyicn1skkdjxiFNkiNd6 fwoYWxfrpnsE6uoPeFWfia4x2nFW73HeKHItRqN8FcpVBEdjPi+2AKjq3sE+LdrrYBu3BD IBKKTG21u3vEvIc5PF3xskrSa/wN0si+JoVG8Usw910eqieyCUr8WXzeRcwfwwW+VUFXNE r/o+fq2t+L/fTWMhGKPXy21zUjZwHRzvFnxb2kJkONHDJM6Flozwzizwj735pQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5Ksc1fVrzlXt for ; Wed, 29 Apr 2026 14:47:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3b7c4 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:47:47 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 2621f6c5d4ae - stable/15 - dhclient: Check for unexpected characters in some DHCP server options List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 2621f6c5d4aeb0cef12aab812431a1581b384e06 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:47:47 +0000 Message-Id: <69f21a13.3b7c4.286ada73@gitrepo.freebsd.org> The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=2621f6c5d4aeb0cef12aab812431a1581b384e06 commit 2621f6c5d4aeb0cef12aab812431a1581b384e06 Author: Mark Johnston AuthorDate: 2026-04-27 20:03:09 +0000 Commit: Mark Johnston CommitDate: 2026-04-29 14:40:57 +0000 dhclient: Check for unexpected characters in some DHCP server options Some options are written directly to the lease file, which may be parsed by subsequent dhclient invocations. We must make sure that a malicious server can't control the "medium" field of a lease definition, otherwise they can achieve RCE by injecting one into the lease file, whereupon it will be passed to dhclient-script, which passes it through eval. Approved by: so Security: FreeBSD-SA-26:12.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) --- sbin/dhclient/dhclient.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index 5d2a7453578b..719e20cffad9 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -1226,6 +1226,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN); lease->server_name[DHCP_SNAME_LEN]='\0'; + if (strchr(lease->server_name, '"') != NULL || + strchr(lease->server_name, '\\') != NULL) { + warning("dhcpoffer: server name contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } /* Ditto for the filename. */ @@ -1241,6 +1247,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN); lease->filename[DHCP_FILE_LEN]='\0'; + if (strchr(lease->filename, '"') != NULL || + strchr(lease->filename, '\\') != NULL) { + warning("dhcpoffer: filename contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } return lease; }