From nobody Wed Apr 29 14:48:50 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5Ktr4gRtz6bknp for ; Wed, 29 Apr 2026 14:48:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5Ktr20Mrz4JtQ for ; Wed, 29 Apr 2026 14:48:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474132; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hKIe+rxdY1Q/kk0mAEpmaTduZlZbel9z56lnOgSwPuQ=; b=FySfM2ZLAiM8wKogU2r6eaqMMGJqxh9+jxo79BKcTG9bqjHyuDaR1fnPm3EDkJ0zfh1SYF W0ucGxusY5O++OWvk5XWziyub1cf6pygCh5Ek/iPjRy9RCualA9U2cR0t2rK7pkIWnuhBL pzfdS/46jJ6x9ntYWqpHfbiV+CBsLV3Yg7HgGrfHv8/79RcgnEx3so6/3h3OI/UCtOWYS8 mX9VzskVNvpxCkV3QFnFVfZiu4x0y4ucm4S1LbNh1K+1Tmj1erCHgG5CVToDI/9GOJUB+x SVRPCCOIXiPXXZ/dL56T753ogAPSnADE7TVGrPnLM+tiEcgCYjOcwp4xgsypfQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777474132; a=rsa-sha256; cv=none; b=rzaOdQRHA4USrMLE+2Atap6Ue2/b6Rz57T+vZoRTTysixVouIJ1PXPBbOUZ2/w3LEVUKRp whFR04qV3/BYWpSGsFOIK+mt2J4x8Xy/QJDjv2CFC/dZ7WS5h5/J9D0qWT5CQNqgRe/jJE LCLEkBpUd7W4GR7ydeDmk8MzfMel9FjHHbdaOVCUcsxj/a/oURSTpBya2oSHbxpxf90knE hPY4DkOtCBMG6QmMQMjVVfPw7J5TpOcBdP8vnzrAiPtkr8ohaIz1FEQw7NUR1dYAPofBZH d26vyu/OneYluYNn5rtn7siyxcmP291IyC2iJu6LrkBa3p+dJHwY/6BMjdJ6LQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777474132; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hKIe+rxdY1Q/kk0mAEpmaTduZlZbel9z56lnOgSwPuQ=; b=yVohl9g+gY6mu7k+eFHtcsJMx/AsfMwZgDx49D/AXZM4eGawrpar6R+qsaV6n1zjydWFhR lnKQfzgXREyfx7j3QxlE3t616mxQUik1WwYrAoOMbjFm7lecgtqc7aBDDgpwwOaM+s0kTx 52jmTw8GR0vDrq4DlVyNTpZPNezGS5XhJ0guoZkS9rZob3HmkctuEVDPFthgVLFQ/gxWmL HG5HdqXd6u+JPJRUMbjqNI93IXy7hPBFVR0I6OIYaI4rzcN261dLhi2i/7QBcW7h6IfxFV krjgQXTBEdgrEZNWrBgf6yqD5Mc0iIYggsMMCe9OcgHXpFbkgcYxm7ZQfYTavA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5Ktq4Q5yzlWk for ; Wed, 29 Apr 2026 14:48:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3ae6b by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 29 Apr 2026 14:48:50 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: b3087e05e848 - stable/14 - dhclient: Check for unexpected characters in some DHCP server options List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: b3087e05e848405c3b9c8577a86fed173f3a8a42 Auto-Submitted: auto-generated Date: Wed, 29 Apr 2026 14:48:50 +0000 Message-Id: <69f21a52.3ae6b.5b7b212b@gitrepo.freebsd.org> The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=b3087e05e848405c3b9c8577a86fed173f3a8a42 commit b3087e05e848405c3b9c8577a86fed173f3a8a42 Author: Mark Johnston AuthorDate: 2026-04-27 20:03:09 +0000 Commit: Mark Johnston CommitDate: 2026-04-29 14:45:04 +0000 dhclient: Check for unexpected characters in some DHCP server options Some options are written directly to the lease file, which may be parsed by subsequent dhclient invocations. We must make sure that a malicious server can't control the "medium" field of a lease definition, otherwise they can achieve RCE by injecting one into the lease file, whereupon it will be passed to dhclient-script, which passes it through eval. Approved by: so Security: FreeBSD-SA-26:12.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) --- sbin/dhclient/dhclient.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index cbab3fa2973c..01ef38530cdf 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -1226,6 +1226,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN); lease->server_name[DHCP_SNAME_LEN]='\0'; + if (strchr(lease->server_name, '"') != NULL || + strchr(lease->server_name, '\\') != NULL) { + warning("dhcpoffer: server name contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } /* Ditto for the filename. */ @@ -1241,6 +1247,12 @@ packet_to_lease(struct packet *packet) } memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN); lease->filename[DHCP_FILE_LEN]='\0'; + if (strchr(lease->filename, '"') != NULL || + strchr(lease->filename, '\\') != NULL) { + warning("dhcpoffer: filename contains invalid characters."); + free_client_lease(lease); + return (NULL); + } } return lease; }