From nobody Tue Jan 27 21:45:47 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f0zVM6Mhqz6QT6D for ; Tue, 27 Jan 2026 21:45:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4f0zVM58wNz3qPZ for ; Tue, 27 Jan 2026 21:45:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1769550347; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8x461hspenyrcWi/YC+9QGC+Xalw3E+n4bd/7YVNTBE=; b=DZ9okanRzPhdOjlJY3RFiWaXGWNM5cBeuKTt/NbtfFu+BFXS/JHrU6l9MtVtCPrp5iazAz qunzBtMY3e1mIZczgS6LUXo2e1YE2Q0jDwY7BPAmrxPuhxtjMSuMsLfB4Y3T0gsD7uPgqK dswTRbEDqBF+7IKCR2/Lss80WbdYbbVLm6kRXQMAD76Wifh4dB05lnMj+qVFqlaA4Xy4HZ i97sa2USxPVYPN+jPtr2TcW53Mnk/Oz9NPKXHyQ+vbT2vkiPv41TLYwNIMWlyfKZYy41hS Aavt47uvUk2ga9lgMjuvb8WaC8lXSSILaSrCj3ZEAbMz6p/aMsl2vsxiNpEwbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1769550347; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8x461hspenyrcWi/YC+9QGC+Xalw3E+n4bd/7YVNTBE=; b=xEmZkLuQqAnYXOqgVigiyY5DpTiAHJpq8YVATCYKlfjfwGtrCscEapTayQX0nu07vEw2Qe +yhjvFAEeIeUkI9S91NuH72ARDCriacIoN1+A53Oy3IW+s89hnB0XoXR1I/Sa75eIE2w2q Z8q3tTpZF3IQj2ctIOm0IqgKs7jwr56kVYnUoGXxoiBLyOPCDl29fyGTzN0fZ0oZLuVc5f rPOyrOHnjoItRr4drsIrjW0iq/t0X0FG+QtENqll7FZlJIelUoDNmFhhqpsLD4MxA3R1y9 wAwF7dN9i9TrduxTWy5g3MePnEleNTOO8iowXoD2W4ZUfV+xec2E/iPMdzY7jg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1769550347; a=rsa-sha256; cv=none; b=bzxwzYjasw4EDVb2a9dXNvziQWVUSGTlIgOXxa88MzaoTghTNpScVjQ0tqVq82mFBW2vNe tPumNyqGy172qRwJ6aWGEa6tzYQEm9mWaKWE0K76uA9qTO5KXvnk9dfGG9LeI8XUCmRcdW Fov5z6I5BIxoDANaho3ADMd4MAFQmL1DPNG3fLR732xXFNuEamhJq/jQqqNQBO8e6Uoj4q QReLVV0L7c0KuWzgU3+THsEjqg1cobiyXJwvjdcoW4e/QZhzVvKu//fYLwC7YRStiYcn4F 9YPRGpBG4tf0OoZ2IDOFTTVe45YkqM1+LzQn8xihR5knKhIg59kCLxXhPfErRA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4f0zVM4C1vz8kt for ; Tue, 27 Jan 2026 21:45:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 378fd by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 27 Jan 2026 21:45:47 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Jessica Clarke Subject: git: 331316b07350 - main - libc: Don't use uninitialised string for getnetbyaddr[_r](0) DNS lookup List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jrtc27 X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 331316b073505e4794754af1cd0c5ccc578a2bde Auto-Submitted: auto-generated Date: Tue, 27 Jan 2026 21:45:47 +0000 Message-Id: <6979320b.378fd.4f40a75d@gitrepo.freebsd.org> The branch main has been updated by jrtc27: URL: https://cgit.FreeBSD.org/src/commit/?id=331316b073505e4794754af1cd0c5ccc578a2bde commit 331316b073505e4794754af1cd0c5ccc578a2bde Author: Jessica Clarke AuthorDate: 2026-01-27 21:44:39 +0000 Commit: Jessica Clarke CommitDate: 2026-01-27 21:44:39 +0000 libc: Don't use uninitialised string for getnetbyaddr[_r](0) DNS lookup If net is all-zero, the loop to extract all leading non-zero octets will iterate zero times and leave nn with the value 4, which the following switch statement to initialise qbuf does not handle. As a result, _dns_getnetbyaddr will look up the PTR record for this uninitialised string, which will leak the pre-existing contents of that stack memory to the DNS resolver and, if remote and not otherwise protected, network. Note that _dns_getnetbyaddr is only used if nsswitch.conf is configured to enable the "dns" source for the "networks" database, which is not the default configuration in FreeBSD. For glibc this same bug, in code also derived from BIND's, was issued CVE-2026-0915. This commit adopts the same behaviour as glibc's fix, which is to regard a net of 0 as being for 0.0.0.0. Apparently NetBSD will return NS_UNAVAIL instead, which may or may not make more sense, but in general glibc compatibility tends to cause less friction when there's not a good reason to avoid it. Reviewed by: markj (secteam) Fixes: 1363f04ce1b8 ("get* rework and new bind code") MFC after: 1 day Security: Same bug as glibc's CVE-2026-0915 --- lib/libc/net/getnetbydns.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/libc/net/getnetbydns.c b/lib/libc/net/getnetbydns.c index deca8c58fca5..b9cc29d5bfdb 100644 --- a/lib/libc/net/getnetbydns.c +++ b/lib/libc/net/getnetbydns.c @@ -304,6 +304,9 @@ _dns_getnetbyaddr(void *rval, void *cb_data, va_list ap) for (nn = 4, net2 = net; net2; net2 >>= 8) netbr[--nn] = net2 & 0xff; switch (nn) { + case 4: /* net was all-zero i.e. 0.0.0.0 */ + sprintf(qbuf, "0.0.0.0.in-addr.arpa"); + break; case 3: /* Class A */ sprintf(qbuf, "0.0.0.%u.in-addr.arpa", netbr[3]); break;