From nobody Thu Apr 30 21:07:00 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g66Dj01fcz6cGbn for ; Thu, 30 Apr 2026 21:07:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g66Dh3B7Nz3YBn for ; Thu, 30 Apr 2026 21:07:00 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777583220; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=DfH6ewfj3hJQjegJ1qFSjXgJ1PBZpFIPqH/Qk6rQgKQ=; b=ehMs95lrUCxMXzjMCm1AVNeAcxKu1I/gsYXYVAsnPxHS+xyQHM30cH4TjVCN8mchq5wObz 6gtCjXBHgMBCTFv0pPRhdJSyLaAG4c2eH/XAiv6rKwpV10ybTo5H2LyNzxRFqXxx4M65t1 GJl6/pJYWtAPEpvk+6MB/iDa2V8HlSdWb+/4qYKHNJddBmqm3XwiLM0WL+i1B62M4Maiem 5nRTJGXyrU9PHn0YBE9K3G9ojCmG5ZIM1ZL+QJSaJbHegWpM+ouKvUaVIHk0sRhCNUuNGr Jse8ITIWTK/lCDltSlKVd/blV42HQViJ+i28mZNT3WFUQ66oJlKja+KKBrfRbQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777583220; a=rsa-sha256; cv=none; b=CR5JoKgUFPe3YZpPhIIeKym0G4635KvN60Nt36iVRQ45smsXpKMIr79boYOmiPlyQFhydw TwJblJZwiRXDoZryVzjUICsDyjcAXnBh5yuOgoKXDqIsxsqmXM6AJm8g2RfSjRImOhLggj TxNwIM5KHGgc68CC34/1XILDC+C8i9K4IuY6SSJWMUKrOnCi70SJ7JvUyEUK92j6WKpHZq 13POhXlzM8aeJTYmG1mQ+3Vku2E4MqUSO7sTufgXGfp8t1XWV8VitMarHgQgG3Fa4/cgrn tEK0kuMXQamT+VqL5eZVsXYEmIhy3g4dJhvA4FhYJTU6YEIpRjhKtf5GBc5NwQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777583220; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=DfH6ewfj3hJQjegJ1qFSjXgJ1PBZpFIPqH/Qk6rQgKQ=; b=o7rJwcUPHjudHL7jpLo+DsNRKNBPlyqMTlwW3Rzdqi3FUrrEk5AXPYg1gD2igV7oSc9dkf r0VMXZhyZ6kUO+rFS73q4JDYZJ0l4/IakaTVqZLsKzaL8Mi5aqlzhWhGb3qfTsjiBlFI8n QuiM/xEm+Mi6fZG0tP72Pa6LKy5zQAmB9jUHz8XkoLMkF+Qb8VYkrLO1r7LulB91gB/75V LdOa7qOmTuqIt05CvilGZGZ0S278D+T9XU+Y9L9mQel6m4V481ZdWRO31QO8BWmGAaLoJK Zru0SkDJNok+U5DksY8dKdu1UdZWBcvDrgVfu2QS/KXqhEe55JFNbDJeX/CGaw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g66Dh2XNPzD2M for ; Thu, 30 Apr 2026 21:07:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 44db8 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 30 Apr 2026 21:07:00 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: 252f603d1704 - stable/15 - dhclient: Improve server and filename validation List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 252f603d1704044defb7695e707bc87c7f75483a Auto-Submitted: auto-generated Date: Thu, 30 Apr 2026 21:07:00 +0000 Message-Id: <69f3c474.44db8.65c9d45a@gitrepo.freebsd.org> The branch stable/15 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=252f603d1704044defb7695e707bc87c7f75483a commit 252f603d1704044defb7695e707bc87c7f75483a Author: Dag-Erling Smørgrav AuthorDate: 2026-04-30 16:45:35 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-04-30 21:06:54 +0000 dhclient: Improve server and filename validation * Don't iterate over each string three times; once is enough. * Reject control characters (anything below space) in addition to the double quote and backslash. * If an unsafe character is encountered, discard the string instead of rejecting the entire lease. * If backslashes are encountered in the file name option, convert them to forward slashes instead of rejecting the option. * Tweak the warning messages a bit. Looking through the rest of the code, it seems to me that notes generally end with a period while warnings generally don't. Fixes: 8008e4b88daf ("dhclient: Check for unexpected characters in some DHCP server options") PR: 294886 MFC after: 1 week Reviewed by: brooks, markj Differential Revision: https://reviews.freebsd.org/D56740 (cherry picked from commit 873a195ba63575e46686cfd6ea9670a0ca340fa0) --- sbin/dhclient/dhclient.c | 75 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 54 insertions(+), 21 deletions(-) diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index f671b0ab9bed..695451088231 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -1161,7 +1161,7 @@ packet_to_lease(struct packet *packet) lease = malloc(sizeof(struct client_lease)); if (!lease) { - warning("dhcpoffer: no memory to record lease."); + warning("dhcpoffer: no memory to record lease"); return (NULL); } @@ -1211,7 +1211,7 @@ packet_to_lease(struct packet *packet) /* If the server name was filled out, copy it. Do not attempt to validate the server name as a host name. - RFC 2131 merely states that sname is NUL-terminated (which do + RFC 2131 merely states that sname is NUL-terminated (which we do not assume) and that it is the server's host name. Since the ISC client and server allow arbitrary characters, we do as well. */ @@ -1219,39 +1219,72 @@ packet_to_lease(struct packet *packet) !(packet->options[DHO_DHCP_OPTION_OVERLOAD].data[0] & 2)) && packet->raw->sname[0]) { lease->server_name = malloc(DHCP_SNAME_LEN + 1); - if (!lease->server_name) { - warning("dhcpoffer: no memory for server name."); + if (lease->server_name == NULL) { + warning("dhcpoffer: no memory for server name"); free_client_lease(lease); return (NULL); } - memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN); - lease->server_name[DHCP_SNAME_LEN]='\0'; - if (strchr(lease->server_name, '"') != NULL || - strchr(lease->server_name, '\\') != NULL) { - warning("dhcpoffer: server name contains invalid characters."); - free_client_lease(lease); - return (NULL); + for (i = 0; i < DHCP_SNAME_LEN; i++) { + if (packet->raw->sname[i] == '\0') { + break; + } + if (packet->raw->sname[i] < ' ' || + packet->raw->sname[i] == '"' || + packet->raw->sname[i] == '\\') { + warning("dhcpoffer: server name contains " + "unsafe characters"); + free(lease->server_name); + lease->server_name = NULL; + break; + } + lease->server_name[i] = packet->raw->sname[i]; + } + /* Terminate and zero-pad */ + if (lease->server_name != NULL) { + while (i < DHCP_SNAME_LEN + 1) { + lease->server_name[i++] = '\0'; + } } } - /* Ditto for the filename. */ + /* Ditto for the file name. */ if ((!packet->options[DHO_DHCP_OPTION_OVERLOAD].len || !(packet->options[DHO_DHCP_OPTION_OVERLOAD].data[0] & 1)) && packet->raw->file[0]) { /* Don't count on the NUL terminator. */ lease->filename = malloc(DHCP_FILE_LEN + 1); - if (!lease->filename) { - warning("dhcpoffer: no memory for filename."); + if (lease->filename == NULL) { + warning("dhcpoffer: no memory for file name"); free_client_lease(lease); return (NULL); } - memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN); - lease->filename[DHCP_FILE_LEN]='\0'; - if (strchr(lease->filename, '"') != NULL || - strchr(lease->filename, '\\') != NULL) { - warning("dhcpoffer: filename contains invalid characters."); - free_client_lease(lease); - return (NULL); + for (i = 0; i < DHCP_FILE_LEN; i++) { + if (packet->raw->file[i] == '\0') { + break; + } + if (packet->raw->file[i] < ' ' || + packet->raw->file[i] == '"') { + warning("dhcpoffer: file name contains " + "unsafe characters"); + free(lease->filename); + lease->filename = NULL; + break; + } + if (packet->raw->file[i] == '\\') { + /* + * This is common in Windows-centric + * environments. Instead of rejecting, + * silently convert to forward slash. + */ + packet->raw->file[i] = '/'; + } + lease->filename[i] = packet->raw->file[i]; + } + /* Terminate and zero-pad */ + if (lease->filename != NULL) { + while (i < DHCP_FILE_LEN + 1) { + lease->filename[i++] = '\0'; + } } } return lease;