sigdevel

Security Advisory: CVE-2025-70102 - NULL Pointer Dereference in dhcpcd parse_option

Summary
A crafted dhcpcd configuration input can trigger undefined behavior in the configuration parser by causing `parse_option()` to access a member through a NULL `struct dhcp_opt` pointer.

The issue is located in `src/if-options.c` in `parse_option()`. During parsing of malformed or unexpected option data, the lookup/parsing path can leave the local DHCP option pointer unset. The affected code then assumes the option pointer is valid and accesses embedded option metadata through it, which results in a NULL pointer member access at `src/if-options.c:1886`.

CWE:
CWE-758 - Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

Affected Component:
```
src/if-options.c:1886
Function: parse_option()
```

Affected Product:
dhcpcd

Affected Version:
The issue was reproduced against dhcpcd commit:
```
2de751b3691642151a4fdc49e444d6b4dc364e98
```

Attack Conditions:
An attacker must cause dhcpcd to process a crafted configuration input that reaches the vulnerable option parsing path. The issue was reproduced in an instrumented fuzzing build of the dhcpcd configuration reader.

Impact:
The vulnerability causes undefined behavior and process termination under the sanitizer build, resulting in Denial of Service. No evidence of arbitrary code execution was observed in the local crash data.

Fix:
The issue was fixed in dhcpcd commit:
```
117742d755b591764036dd4218f314f748a3d2b7
```
The fix ensures that the pointed-to local DHCP option entry is non-NULL before it is dereferenced. Users should update to a dhcpcd build containing this commit or later.

References:
- Issue: https://github.com/NetworkConfiguration/dhcpcd/issues/567
- Fix: https://github.com/NetworkConfiguration/dhcpcd/commit/117742d755b591764036dd4218f314f748a3d2b7
- PoC: https://github.com/sigdevel/pocs/blob/main/res/dhcpcd/1/if-options_c_1886/if-options_c_1886

Credits:
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #dhcp #net #dhcpcd

dhcpcd/src/if-options.c:1886 NULL Pointer Dereference in parse_option · Issue #567 · NetworkConfiguration/dhcpcd

dhcpcd/src/if-options.c NULL Pointer Dereference in parse_option Description: The issue is reproducible during testing on synthetic builds (instrumented fuzzing build). While testing the dhcpcd con...

GitHub
Jun 11 at 9:28pmWeb
Show threadLeonardo TaccariJun 16

@sigdevel Hello, please add direct references to the CVE too. Right now there is only this Mastodon toot. Please add direct references also to the "Issue", "PoC" and "Fix" you have shared in this too.

Thanks!