mmits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: dda71167a101 - releng/14.3 - dhclient: Check for unexpected characters in some DHCP server options
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/14.3
X-Git-Reftype: branch
X-Git-Commit: dda71167a1013aceb1c4236a9297a24dd62754ac
Auto-Submitted: auto-generated
Date: Wed, 29 Apr 2026 14:49:22 +0000
Message-Id: <69f21a72.3c7a1.5d8245e7@gitrepo.freebsd.org>

The branch releng/14.3 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=dda71167a1013aceb1c4236a9297a24dd62754ac

commit dda71167a1013aceb1c4236a9297a24dd62754ac
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-04-27 20:03:09 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-28 20:33:04 +0000

    dhclient: Check for unexpected characters in some DHCP server options
    
    Some options are written directly to the lease file, which may be parsed
    by subsequent dhclient invocations.  We must make sure that a malicious
    server can't control the "medium" field of a lease definition, otherwise
    they can achieve RCE by injecting one into the lease file, whereupon it
    will be passed to dhclient-script, which passes it through eval.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:12.dhclient
    Security:       CVE-2026-42511
    Reported by:    Joshua Rogers of AISLE Research Team (https://aisle.com/)
---
 sbin/dhclient/dhclient.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
index cbab3fa2973c..01ef38530cdf 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -1226,6 +1226,12 @@ packet_to_lease(struct packet *packet)
 		}
 		memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN);
 		lease->server_name[DHCP_SNAME_LEN]='\0';
+		if (strchr(lease->server_name, '"') != NULL ||
+		    strchr(lease->server_name, '\\') != NULL) {
+			warning("dhcpoffer: server name contains invalid characters.");
+			free_client_lease(lease);
+			return (NULL);
+		}
 	}
 
 	/* Ditto for the filename. */
@@ -1241,6 +1247,12 @@ packet_to_lease(struct packet *packet)
 		}
 		memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN);
 		lease->filename[DHCP_FILE_LEN]='\0';
+		if (strchr(lease->filename, '"') != NULL ||
+		    strchr(lease->filename, '\\') != NULL) {
+			warning("dhcpoffer: filename contains invalid characters.");
+			free_client_lease(lease);
+			return (NULL);
+		}
 	}
 	return lease;
 }