git: a2d45189b9ee - releng/13.5 - dhclient: Check for unexpected characters in some DHCP server options

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Wed, 29 Apr 2026 14:50:18 UTC 
The branch releng/13.5 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=a2d45189b9eec1ebf33f4ee844c4098c2f345447

commit a2d45189b9eec1ebf33f4ee844c4098c2f345447
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-04-27 20:03:09 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-28 20:32:11 +0000

    dhclient: Check for unexpected characters in some DHCP server options
    
    Some options are written directly to the lease file, which may be parsed
    by subsequent dhclient invocations.  We must make sure that a malicious
    server can't control the "medium" field of a lease definition, otherwise
    they can achieve RCE by injecting one into the lease file, whereupon it
    will be passed to dhclient-script, which passes it through eval.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:12.dhclient
    Security:       CVE-2026-42511
    Reported by:    Joshua Rogers of AISLE Research Team (https://aisle.com/)
---
 sbin/dhclient/dhclient.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
index 141403d8c86b..590b18ee6467 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -1223,6 +1223,12 @@ packet_to_lease(struct packet *packet)
 		}
 		memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN);
 		lease->server_name[DHCP_SNAME_LEN]='\0';
+		if (strchr(lease->server_name, '"') != NULL ||
+		    strchr(lease->server_name, '\\') != NULL) {
+			warning("dhcpoffer: server name contains invalid characters.");
+			free_client_lease(lease);
+			return (NULL);
+		}
 	}
 
 	/* Ditto for the filename. */
@@ -1238,6 +1244,12 @@ packet_to_lease(struct packet *packet)
 		}
 		memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN);
 		lease->filename[DHCP_FILE_LEN]='\0';
+		if (strchr(lease->filename, '"') != NULL ||
+		    strchr(lease->filename, '\\') != NULL) {
+			warning("dhcpoffer: filename contains invalid characters.");
+			free_client_lease(lease);
+			return (NULL);
+		}
 	}
 	return lease;
 }