FreeBSD -- dhclient heap overflow

ID 762B7D4A-EC19-11EA-88F8-901B0EF719AB
Type freebsd
Reporter FreeBSD
Modified 2020-09-02T00:00:00


Problem Description: When parsing option 119 data, dhclient(8) computes the uncompressed domain list length so that it can allocate an appropriately sized buffer to store the uncompressed list. The code to compute the length failed to handle certain malformed input, resulting in a heap overflow when the uncompressed list is copied into in inadequately sized buffer. Impact: The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit. However, it is possible the bug could be combined with other vulnerabilities to escape the sandbox.