git: 8008e4b88daf - main - dhclient: Check for unexpected characters in some DHCP server options

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Wed, 29 Apr 2026 14:47:21 UTC 
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=8008e4b88daf37015d16c4ac709b91804b586575

commit 8008e4b88daf37015d16c4ac709b91804b586575
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-04-27 20:03:09 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-29 14:39:27 +0000

    dhclient: Check for unexpected characters in some DHCP server options
    
    Some options are written directly to the lease file, which may be parsed
    by subsequent dhclient invocations.  We must make sure that a malicious
    server can't control the "medium" field of a lease definition, otherwise
    they can achieve RCE by injecting one into the lease file, whereupon it
    will be passed to dhclient-script, which passes it through eval.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:12.dhclient
    Security:       CVE-2026-42511
    Reported by:    Joshua Rogers of AISLE Research Team (https://aisle.com/)
---
 sbin/dhclient/dhclient.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
index 5d2a7453578b..719e20cffad9 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -1226,6 +1226,12 @@ packet_to_lease(struct packet *packet)
 		}
 		memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN);
 		lease->server_name[DHCP_SNAME_LEN]='\0';
+		if (strchr(lease->server_name, '"') != NULL ||
+		    strchr(lease->server_name, '\\') != NULL) {
+			warning("dhcpoffer: server name contains invalid characters.");
+			free_client_lease(lease);
+			return (NULL);
+		}
 	}
 
 	/* Ditto for the filename. */
@@ -1241,6 +1247,12 @@ packet_to_lease(struct packet *packet)
 		}
 		memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN);
 		lease->filename[DHCP_FILE_LEN]='\0';
+		if (strchr(lease->filename, '"') != NULL ||
+		    strchr(lease->filename, '\\') != NULL) {
+			warning("dhcpoffer: filename contains invalid characters.");
+			free_client_lease(lease);
+			return (NULL);
+		}
 	}
 	return lease;
 }