Re: git: 5d8e32aad2a8 - main - dhclient: Fix reallocation of dhclient script environments [CORRECTION: CVE ID]

Reply: Oliver Pinter : "Re: git: 5d8e32aad2a8 - main - dhclient: Fix reallocation of dhclient script environments [CORRECTION: CVE ID]"
In reply to: Mark Johnston : "git: 5d8e32aad2a8 - main - dhclient: Fix reallocation of dhclient script environments"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Gordon Tetlow <gordon_at_tetlows.org>
Date: Wed, 29 Apr 2026 23:08:49 UTC

This commit as well as the corresponding stable and releng branch 
commits were incorrectly tagged CVE-2026-42511 and should be 
CVE-2026-42512. Apologies for the mix up there.

Best regards,
Gordon
Hat: security-officer

On 29 Apr 2026, at 7:47, Mark Johnston wrote:

> The branch main has been updated by markj:
>
> URL: 
> https://cgit.FreeBSD.org/src/commit/?id=5d8e32aad2a8316b0aab8a93a677a63e4c3df422
>
> commit 5d8e32aad2a8316b0aab8a93a677a63e4c3df422
> Author:     Mark Johnston <markj@FreeBSD.org>
> AuthorDate: 2026-04-27 20:56:21 +0000
> Commit:     Mark Johnston <markj@FreeBSD.org>
> CommitDate: 2026-04-29 14:39:27 +0000
>
>     dhclient: Fix reallocation of dhclient script environments
>
>     When the number of DHCP options exceeds a threshold, 
> script_set_env()
>     will reallocate the environment, stored as an array of pointers.  
> The
>     calculation of the array size failed to multiply by the pointer 
> size,
>     resulting in a smaller than expected buffer which admits 
> out-of-bounds
>     writes.
>
>     Approved by:    so
>     Security:       FreeBSD-SA-26:15.dhclient
>     Security:       CVE-2026-42511
>     Reported by:    Joshua Rogers of AISLE Research Team 
> (https://aisle.com/)
> ---
>  sbin/dhclient/dhclient.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
> index 719e20cffad9..f671b0ab9bed 100644
> --- a/sbin/dhclient/dhclient.c
> +++ b/sbin/dhclient/dhclient.c
> @@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, 
> const char *prefix,
>  			char **newscriptEnv;
>  			int newscriptEnvsize = client->scriptEnvsize + 50;
>
> -			newscriptEnv = realloc(client->scriptEnv,
> -			    newscriptEnvsize);
> +			newscriptEnv = reallocarray(client->scriptEnv,
> +			    newscriptEnvsize, sizeof(char *));
>  			if (newscriptEnv == NULL) {
>  				free(client->scriptEnv);
>  				client->scriptEnv = NULL;