src, branch release/14.4.0-p4

src, branch release/14.4.0-p4 FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F14.4.0-p4 2026-04-30T21:21:54Z Add UPDATING entries and bump version 2026-04-30T21:21:54Z Mark Johnston markj@FreeBSD.org 2026-04-30T21:12:03Z urn:sha1:49be56ed6fea1b8456cb6daf6ea163bf2d084861 Approved by: so dhclient: Improve server and filename validation 2026-04-30T21:21:45Z Dag-Erling Smørgrav des@FreeBSD.org 2026-04-30T16:45:35Z urn:sha1:dfcb69cdb07edcee90af4ce4fa11207655c5424e * Don't iterate over each string three times; once is enough. * Reject control characters (anything below space) in addition to the double quote and backslash. * If an unsafe character is encountered, discard the string instead of rejecting the entire lease. * If backslashes are encountered in the file name option, convert them to forward slashes instead of rejecting the option. * Tweak the warning messages a bit. Looking through the rest of the code, it seems to me that notes generally end with a period while warnings generally don't. Approved by: so Security: FreeBSD-EN-26:11.dhclient Fixes: 8008e4b88daf ("dhclient: Check for unexpected characters in some DHCP server options") PR: 294886 MFC after: 1 week Reviewed by: brooks, markj Differential Revision: https://reviews.freebsd.org/D56740 (cherry picked from commit 873a195ba63575e46686cfd6ea9670a0ca340fa0) (cherry picked from commit 2f9478ad42c442c49a7eff60227148bf2b90b48c) Add UPDATING entries and bump version 2026-04-28T20:33:59Z Mark Johnston markj@FreeBSD.org 2026-04-28T20:27:45Z urn:sha1:d7784de043f1543a1575e9fae8cd56a4fd7c776d Approved by: so libnv: fix heap overflow in nvlist_recv() 2026-04-28T20:33:58Z Mariusz Zaborski oshogbo@FreeBSD.org 2026-04-28T14:36:09Z urn:sha1:4f0992ce23b0934043daca0b85a7b73f0e0dc0a3 nvlist_check_header() validated nvlh_size for overflow before performing conversion. An mallicous user can set NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that the orginall value passes the check, but after the conversion the sizeof(nvlist_header) + size can overflow. This can lead to a heap buffer overflow. Approved by: so Security: FreeBSD-SA-26:17.libnv Security: CVE-2026-35547 Fixes: 36fa90dbde0060aacb5677d0b113ee168e839071 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56342 libnv: switch fd_wait() from select(2) to poll(2) 2026-04-28T20:33:58Z Mariusz Zaborski oshogbo@FreeBSD.org 2026-04-28T14:35:10Z urn:sha1:a5cb4863d65a64cc16a81f49b35b944d9b9b14f2 The previous implementation used FD_SET() on a stack-allocated fd_set, which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE (1024). Approved by: so Security: FreeBSD-SA-26:16.libnv Security: CVE-2026-39457 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56689 libnv: add tests to verify potential overflow issues 2026-04-28T20:33:58Z Mariusz Zaborski oshogbo@FreeBSD.org 2024-08-29T13:46:01Z urn:sha1:adaed0700d2d1a84c0c1d6826fb9a1a23d83b603 Approved by: so Differential Revision: https://reviews.freebsd.org/D46131 (cherry picked from commit 241a7ddd7112982ed41ccdd047c1dad59ee0256e) libnv: add test to verify null termination of string in array 2026-04-28T20:33:58Z Mariusz Zaborski oshogbo@FreeBSD.org 2024-08-29T13:44:03Z urn:sha1:64c0919d2c63b3108b958f666b8a5332ba8eb1d1 Approved by: so Differential Revision: https://reviews.freebsd.org/D46138 (cherry picked from commit 2981431e044fae3bc87e6fa891b8230b484dc84b) pf: improve SCTP validation 2026-04-28T20:33:58Z Kristof Provost kp@FreeBSD.org 2026-04-26T09:34:55Z urn:sha1:0cbe512c7a802de4de26bec6561a1d58e6aa4518 As per RFC5061 "4.2. New Parameter Types" the add/delete IP address parameters (0xc001, 0xc002) may not be present in an INIT or INIT-ACK chunk. They are only allowed to be present in an ASCONF chunk. This also prevents unbounded recursion while parsing an SCTP packet. Approved by: so Security: FreeBSD-SA-26:14.pf Security: CVE-2026-7164 PR: 294799 Reported by: Igor Gabriel Sousa e Souza Sponsored by: Orange Business Services dhclient: Fix reallocation of dhclient script environments 2026-04-28T20:33:58Z Mark Johnston markj@FreeBSD.org 2026-04-27T20:56:21Z urn:sha1:d60456d859a1830e69c379f9802d50162888e920 When the number of DHCP options exceeds a threshold, script_set_env() will reallocate the environment, stored as an array of pointers. The calculation of the array size failed to multiply by the pointer size, resulting in a smaller than expected buffer which admits out-of-bounds writes. Approved by: so Security: FreeBSD-SA-26:15.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) dhclient: Check for unexpected characters in some DHCP server options 2026-04-28T20:33:58Z Mark Johnston markj@FreeBSD.org 2026-04-27T20:03:09Z urn:sha1:73b801e3b5b3b92a9691bda847b2021b2e1d122b Some options are written directly to the lease file, which may be parsed by subsequent dhclient invocations. We must make sure that a malicious server can't control the "medium" field of a lease definition, otherwise they can achieve RCE by injecting one into the lease file, whereupon it will be passed to dhclient-script, which passes it through eval. Approved by: so Security: FreeBSD-SA-26:12.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/)