git: 5d8e32aad2a8 - main - dhclient: Fix reallocation of dhclient script environments
Date: Wed, 29 Apr 2026 14:47:22 UTC
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=5d8e32aad2a8316b0aab8a93a677a63e4c3df422
commit 5d8e32aad2a8316b0aab8a93a677a63e4c3df422
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-04-27 20:56:21 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-29 14:39:27 +0000
dhclient: Fix reallocation of dhclient script environments
When the number of DHCP options exceeds a threshold, script_set_env()
will reallocate the environment, stored as an array of pointers. The
calculation of the array size failed to multiply by the pointer size,
resulting in a smaller than expected buffer which admits out-of-bounds
writes.
Approved by: so
Security: FreeBSD-SA-26:15.dhclient
Security: CVE-2026-42511
Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/)
---
sbin/dhclient/dhclient.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
index 719e20cffad9..f671b0ab9bed 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, const char *prefix,
char **newscriptEnv;
int newscriptEnvsize = client->scriptEnvsize + 50;
- newscriptEnv = realloc(client->scriptEnv,
- newscriptEnvsize);
+ newscriptEnv = reallocarray(client->scriptEnv,
+ newscriptEnvsize, sizeof(char *));
if (newscriptEnv == NULL) {
free(client->scriptEnv);
client->scriptEnv = NULL;