git: e7b4fb41aafa - releng/15.0 - dhclient: Check for unexpected characters in some DHCP server options
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 29 Apr 2026 14:48:28 UTC
The branch releng/15.0 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=e7b4fb41aafaf6ccb4ff14684416223c1f6f92e8
commit e7b4fb41aafaf6ccb4ff14684416223c1f6f92e8
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-04-27 20:03:09 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-28 19:27:11 +0000
dhclient: Check for unexpected characters in some DHCP server options
Some options are written directly to the lease file, which may be parsed
by subsequent dhclient invocations. We must make sure that a malicious
server can't control the "medium" field of a lease definition, otherwise
they can achieve RCE by injecting one into the lease file, whereupon it
will be passed to dhclient-script, which passes it through eval.
Approved by: so
Security: FreeBSD-SA-26:12.dhclient
Security: CVE-2026-42511
Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/)
---
sbin/dhclient/dhclient.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
index 5d2a7453578b..719e20cffad9 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -1226,6 +1226,12 @@ packet_to_lease(struct packet *packet)
}
memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN);
lease->server_name[DHCP_SNAME_LEN]='\0';
+ if (strchr(lease->server_name, '"') != NULL ||
+ strchr(lease->server_name, '\\') != NULL) {
+ warning("dhcpoffer: server name contains invalid characters.");
+ free_client_lease(lease);
+ return (NULL);
+ }
}
/* Ditto for the filename. */
@@ -1241,6 +1247,12 @@ packet_to_lease(struct packet *packet)
}
memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN);
lease->filename[DHCP_FILE_LEN]='\0';
+ if (strchr(lease->filename, '"') != NULL ||
+ strchr(lease->filename, '\\') != NULL) {
+ warning("dhcpoffer: filename contains invalid characters.");
+ free_client_lease(lease);
+ return (NULL);
+ }
}
return lease;
}