Date: Wed, 29 Apr 2026 14:49:24 +0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 76734958a098 - releng/14.3 - dhclient: Fix reallocation of dhclient script environments Message-ID: <69f21a74.3ba4b.6dda83c1@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch releng/14.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=76734958a0986bdd4cf7edfe845b5e7b4e152360 commit 76734958a0986bdd4cf7edfe845b5e7b4e152360 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2026-04-27 20:56:21 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2026-04-28 20:33:04 +0000 dhclient: Fix reallocation of dhclient script environments When the number of DHCP options exceeds a threshold, script_set_env() will reallocate the environment, stored as an array of pointers. The calculation of the array size failed to multiply by the pointer size, resulting in a smaller than expected buffer which admits out-of-bounds writes. Approved by: so Security: FreeBSD-SA-26:15.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) --- sbin/dhclient/dhclient.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c index 01ef38530cdf..c7a7fcca06ff 100644 --- a/sbin/dhclient/dhclient.c +++ b/sbin/dhclient/dhclient.c @@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, const char *prefix, char **newscriptEnv; int newscriptEnvsize = client->scriptEnvsize + 50; - newscriptEnv = realloc(client->scriptEnv, - newscriptEnvsize); + newscriptEnv = reallocarray(client->scriptEnv, + newscriptEnvsize, sizeof(char *)); if (newscriptEnv == NULL) { free(client->scriptEnv); client->scriptEnv = NULL;home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69f21a74.3ba4b.6dda83c1>