Re: git: 5d8e32aad2a8 - main - dhclient: Fix reallocation of dhclient script environments [CORRECTION: CVE ID]

In reply to: Gordon Tetlow : "Re: git: 5d8e32aad2a8 - main - dhclient: Fix reallocation of dhclient script environments [CORRECTION: CVE ID]"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Oliver Pinter <oliver.pntr_at_gmail.com>
Date: Fri, 01 May 2026 08:26:38 UTC

On Thursday, April 30, 2026, Gordon Tetlow <gordon@tetlows.org> wrote:

> This commit as well as the corresponding stable and releng branch commits
> were incorrectly tagged CVE-2026-42511 and should be CVE-2026-42512.
> Apologies for the mix up there.
>
> Best regards,
> Gordon
> Hat: security-officer
>
Hi!

I've seen a new trend regarding the commit messages. If someone described
the commit wrong, then the commit gets reverted and the exactly same commit
message reapplied with the fixed commit message. The question is that do
FreeBSD wants the correct CVE id in the history or not? If wants, then one
possible way would be the revert + reapply or the other possible would be
to create an empty commit with git which references the original commit and
adds the correct CVE id to the empty commits description.



> On 29 Apr 2026, at 7:47, Mark Johnston wrote:
>
> The branch main has been updated by markj:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=
> 5d8e32aad2a8316b0aab8a93a677a63e4c3df422
>
> commit 5d8e32aad2a8316b0aab8a93a677a63e4c3df422
> Author: Mark Johnston markj@FreeBSD.org
> AuthorDate: 2026-04-27 20:56:21 +0000
> Commit: Mark Johnston markj@FreeBSD.org
> CommitDate: 2026-04-29 14:39:27 +0000
>
> dhclient: Fix reallocation of dhclient script environments
>
> When the number of DHCP options exceeds a threshold, script_set_env()
> will reallocate the environment, stored as an array of pointers.  The
> calculation of the array size failed to multiply by the pointer size,
> resulting in a smaller than expected buffer which admits out-of-bounds
> writes.
>
> Approved by:    so
> Security:       FreeBSD-SA-26:15.dhclient
> Security:       CVE-2026-42511
> Reported by:    Joshua Rogers of AISLE Research Team (https://aisle.com/)
>
> ------------------------------
>
> sbin/dhclient/dhclient.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
> index 719e20cffad9..f671b0ab9bed 100644
> --- a/sbin/dhclient/dhclient.c
> +++ b/sbin/dhclient/dhclient.c
> @@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, const
> char *prefix,
> char **newscriptEnv;
> int newscriptEnvsize = client->scriptEnvsize + 50;
>
>    -
>
>    	newscriptEnv = realloc(client->scriptEnv,
>
>    -
>
>    	    newscriptEnvsize);
>
>
>
>    -
>
>    	newscriptEnv = reallocarray(client->scriptEnv,
>
>    -
>
>    	    newscriptEnvsize, sizeof(char *));
>    	if (newscriptEnv == NULL) {
>    		free(client->scriptEnv);
>    		client->scriptEnv = NULL;
>
>
>