dhclient: Fix reallocation of dhclient script environments

When the number of DHCP options exceeds a threshold, script_set_env()
will reallocate the environment, stored as an array of pointers.  The
calculation of the array size failed to multiply by the pointer size,
resulting in a smaller than expected buffer which admits out-of-bounds
writes.

Approved by:	so
Security:	FreeBSD-SA-26:15.dhclient
Security:	CVE-2026-42511
Reported by:	Joshua Rogers of AISLE Research Team (https://aisle.com/)

1 files changed, 2 insertions, 2 deletions

diff --git a/sbin/dhclient/dhclient.c b/sbin/dhclient/dhclient.c
index 719e20cffad9..f671b0ab9bed 100644
--- a/sbin/dhclient/dhclient.c
+++ b/sbin/dhclient/dhclient.c
@@ -2438,8 +2438,8 @@ script_set_env(struct client_state *client, const char *prefix,
 			char **newscriptEnv;
 			int newscriptEnvsize = client->scriptEnvsize + 50;
 
-			newscriptEnv = realloc(client->scriptEnv,
-			    newscriptEnvsize);
+			newscriptEnv = reallocarray(client->scriptEnv,
+			    newscriptEnvsize, sizeof(char *));
 			if (newscriptEnv == NULL) {
 				free(client->scriptEnv);
 				client->scriptEnv = NULL;