git: 76734958a098 - releng/14.3 - dhclient: Fix reallocation of dhclient script environments
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 29 Apr 2026 14:49:24 UTC
The branch releng/14.3 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=76734958a0986bdd4cf7edfe845b5e7b4e152360
commit 76734958a0986bdd4cf7edfe845b5e7b4e152360
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-04-27 20:56:21 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-28 20:33:04 +0000
dhclient: Fix reallocation of dhclient script environments
When the number of DHCP options exceeds a threshold, script_set_env()
will reallocate the environment, stored as an array of pointers. The
calculation of the array size failed to multiply by the pointer size,
resulting in a smaller than expected buffer which admits out-of-bounds
writes.
Approved by: so
Security: FreeBSD-SA-26:15.dhclient
Security: CVE-2026-42511
Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/)
---
sbin/dhclient/dhclient.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
index 01ef38530cdf..c7a7fcca06ff 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, const char *prefix,
char **newscriptEnv;
int newscriptEnvsize = client->scriptEnvsize + 50;
- newscriptEnv = realloc(client->scriptEnv,
- newscriptEnvsize);
+ newscriptEnv = reallocarray(client->scriptEnv,
+ newscriptEnvsize, sizeof(char *));
if (newscriptEnv == NULL) {
free(client->scriptEnv);
client->scriptEnv = NULL;