src/sbin/dhclient, branch releng/14.3

dhclient: Improve server and filename validation

2026-04-30T21:21:27Z

* Don't iterate over each string three times; once is enough. * Reject control characters (anything below space) in addition to the double quote and backslash. * If an unsafe character is encountered, discard the string instead of rejecting the entire lease. * If backslashes are encountered in the file name option, convert them to forward slashes instead of rejecting the option. * Tweak the warning messages a bit. Looking through the rest of the code, it seems to me that notes generally end with a period while warnings generally don't. Approved by: so Security: FreeBSD-EN-26:11.dhclient Fixes: 8008e4b88daf ("dhclient: Check for unexpected characters in some DHCP server options") PR: 294886 MFC after: 1 week Reviewed by: brooks, markj Differential Revision: https://reviews.freebsd.org/D56740 (cherry picked from commit 873a195ba63575e46686cfd6ea9670a0ca340fa0) (cherry picked from commit 2f9478ad42c442c49a7eff60227148bf2b90b48c)

dhclient: Fix reallocation of dhclient script environments

2026-04-28T20:33:04Z

When the number of DHCP options exceeds a threshold, script_set_env() will reallocate the environment, stored as an array of pointers. The calculation of the array size failed to multiply by the pointer size, resulting in a smaller than expected buffer which admits out-of-bounds writes. Approved by: so Security: FreeBSD-SA-26:15.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/)

dhclient: Check for unexpected characters in some DHCP server options

2026-04-28T20:33:04Z

Some options are written directly to the lease file, which may be parsed by subsequent dhclient invocations. We must make sure that a malicious server can't control the "medium" field of a lease definition, otherwise they can achieve RCE by injecting one into the lease file, whereupon it will be passed to dhclient-script, which passes it through eval. Approved by: so Security: FreeBSD-SA-26:12.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/)

dhclient: Keep two clocks

2025-04-23T04:50:31Z

Until July 2024, dhclient kept track of time as seconds-since-epoch as a time_t. This was a problem because (a) we wanted sub-second timeouts and (b) timeouts didn't always do the right thing if the system clock changed. Switching to using CLOCK_MONOTONIC and struct timespec fixed those issues but introduced a new problem: CLOCK_MONOTONIC values were being intepreted as seconds-since-epoch and written to the dhclient.leases file, causing confusion with DHCP leases expiring in early 1970. Attempt to compromise between these by keeping track of both times; any type within dhclient which is a time_t now refers to seconds past the epoch, while any struct timespec value is a CLOCK_MONOTONIC time. PR: 283256 Reviewed by: dch Fixes: f0a38976b01e ("dhclient: Use clock_gettime() instead of time()") Sponsored by: Amazon Differential Revision: https://reviews.freebsd.org/D49720 (cherry picked from commit 43d19e6a4c42ade0f276ceca18a09e2e3829fce4)

dhclient: Ignore vendor-identifying DHCP options defined in RFC 3925

2024-10-12T12:11:04Z

Ignore DHCP options 124 and 125 to shut up the warning messages. These options are defined in the RFC 3925. PR: 281361 Reviewed by: jrm (mentor), otis (mentor), thj Tested by: jlduran@gmail.com MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D46760 (cherry picked from commit 38c63b52830c85013f30bc62b2b32f3936d84e65)

dhclient: Update dhclient man page for n flag

2024-08-20T04:57:09Z

Document new n flag for disabling ARP resolution within dhclient. Sponsored by: Google LLC (GSoC 2024) Signed-off-by: Isaac Cilia Attard MFC after: 10 days Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee Pull Request: https://github.com/freebsd/freebsd-src/pull/1368 (cherry picked from commit 84fce4b67adc1ed1882d9371eb5d92dbbc79766d)

dhclient: Make arp_timeout configurable

2024-08-20T04:57:08Z

Make arp_timeout available to dhclient.c, set the default timeout to 250 ms, and provide a new command-line argument, 'n' for setting the timeout to 0. Sponsored by: Google LLC (GSoC 2024) Signed-off-by: Isaac Cilia Attard MFC after: 10 days Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee Pull Request: https://github.com/freebsd/freebsd-src/pull/1368 (cherry picked from commit b51569ad3c806688befc00dad51d15a7e61659fb)

dhclient: Use clock_gettime() instead of time()

2024-08-20T04:57:08Z

Change the use of time() to clock_gettime() to have millisecond-accurate rather than second-accurate timeouts. Sponsored by: Google LLC (GSoC 2024) Signed-off-by: Isaac Cilia Attard MFC after: 10 days Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee Pull Request: https://github.com/freebsd/freebsd-src/pull/1368 (cherry picked from commit f0a38976b01e15956fdba48f8b58db22d0af1f7e)

dhclient: Timeouts for entering state_selecting

2024-08-20T04:57:08Z

Use the new add_timeout_timespec() API to handle timeouts for state_selecting within dhclient.c. No functional change intended. Sponsored by: Google LLC (GSoC 2024) Signed-off-by: Isaac Cilia Attard MFC after: 10 days Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee Pull Request: https://github.com/freebsd/freebsd-src/pull/1368 (cherry picked from commit 76e0ffd9f8fd09f8790a4d96581782225d9019ea)

dhclient: Switch timeouts from time_t to timespec

2024-08-20T04:57:08Z

Introduce a new function, add_timeout_timespec(), to use timespec structs to handle timeouts. Make add_timeout() into a wrapper for the latter function to retain compatibility with the rest of the codebase. No functional change intended. Sponsored by: Google LLC (GSoC 2024) Signed-off-by: Isaac Cilia Attard MFC after: 10 days Reviwed by: cperciva, brooks, Tom Hukins, Alexander Ziaee Pull Request: https://github.com/freebsd/freebsd-src/pull/1368 (cherry picked from commit 16a235f23c066d27b3a53c66cf6aa329be07cdb9)