git: 66d6c32ce7b8 - releng/15.0 - dhclient: Fix reallocation of dhclient script environments
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 29 Apr 2026 14:48:29 UTC
The branch releng/15.0 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=66d6c32ce7b84172e4c6069ce3acf8f5c422d1fa
commit 66d6c32ce7b84172e4c6069ce3acf8f5c422d1fa
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-04-27 20:56:21 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-28 19:27:11 +0000
dhclient: Fix reallocation of dhclient script environments
When the number of DHCP options exceeds a threshold, script_set_env()
will reallocate the environment, stored as an array of pointers. The
calculation of the array size failed to multiply by the pointer size,
resulting in a smaller than expected buffer which admits out-of-bounds
writes.
Approved by: so
Security: FreeBSD-SA-26:15.dhclient
Security: CVE-2026-42511
Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/)
---
sbin/dhclient/dhclient.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
index 719e20cffad9..f671b0ab9bed 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, const char *prefix,
char **newscriptEnv;
int newscriptEnvsize = client->scriptEnvsize + 50;
- newscriptEnv = realloc(client->scriptEnv,
- newscriptEnvsize);
+ newscriptEnv = reallocarray(client->scriptEnv,
+ newscriptEnvsize, sizeof(char *));
if (newscriptEnv == NULL) {
free(client->scriptEnv);
client->scriptEnv = NULL;