FreeBSD/src
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2026-06-02 11:24:32 +00:00
Code Issues Projects Releases Wiki Activity

dhclient: Check for unexpected characters in some DHCP server options

Browse Source 
Some options are written directly to the lease file, which may be parsed
by subsequent dhclient invocations.  We must make sure that a malicious
server can't control the "medium" field of a lease definition, otherwise
they can achieve RCE by injecting one into the lease file, whereupon it
will be passed to dhclient-script, which passes it through eval.

Approved by:	so
Security:	FreeBSD-SA-26:12.dhclient
Security:	CVE-2026-42511
Reported by:	Joshua Rogers of AISLE Research Team (https://aisle.com/)
This commit is contained in:
Mark Johnston
2026-04-27 20:03:09 +00:00
parent 8e8ddb05d0
commit 8008e4b88d
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
sbin/dhclient/dhclient.c
+12
View File
@@ -1226,6 +1226,12 @@ packet_to_lease(struct packet *packet)
}
memcpy(lease->server_name, packet->raw->sname, DHCP_SNAME_LEN);
lease->server_name[DHCP_SNAME_LEN]='\0';
if (strchr(lease->server_name, '"') != NULL ||
strchr(lease->server_name, '\\') != NULL) {
warning("dhcpoffer: server name contains invalid characters.");
free_client_lease(lease);
return (NULL);
}
}
/* Ditto for the filename. */
@@ -1241,6 +1247,12 @@ packet_to_lease(struct packet *packet)
}
memcpy(lease->filename, packet->raw->file, DHCP_FILE_LEN);
lease->filename[DHCP_FILE_LEN]='\0';
if (strchr(lease->filename, '"') != NULL ||
strchr(lease->filename, '\\') != NULL) {
warning("dhcpoffer: filename contains invalid characters.");
free_client_lease(lease);
return (NULL);
}
}
return lease;
}