commit 011a36c51438c986535a7248ed2e7f424f8e1078
Author: Simon Kelley <simon@thekelleys.org.uk>
Date:   Wed Mar 25 23:16:35 2026 +0000

    Fix buffer overflow in helper.c with large CLIDs. CVE-2026-4892
    
    Bug reported bt Royce M <royce@xchglabs.com>
    
    Location: helper.c:265-270
    DHCPv6 CLIDs can be up to 65535 bytes. When --dhcp-script is configured,
    the helper hex-encodes raw CLID bytes via sprintf("%.2x") into daemon->packet (5131 bytes).
    A 1000-byte CLID writes ~3000 bytes. The helper process retains root privileges.
    
    Note: log6_packet() correctly caps CLID to 100 bytes for logging, but the helper code path was missed.

diff --git a/src/helper.c b/src/helper.c
index 72f81fe..2c12801 100644
--- a/src/helper.c
+++ b/src/helper.c
@@ -261,8 +261,8 @@ int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd)
 		      data.hostname_len + data.ed_len + data.clid_len, RW_READ))
 	continue;
 
-      /* CLID into packet */
-      for (p = daemon->packet, i = 0; i < data.clid_len; i++)
+      /* CLID into packet: limit to 100 bytes to avoid overflowing buffer. */
+      for (p = daemon->packet, i = 0; i < data.clid_len && i < 100; i++)
 	{
 	  p += sprintf(p, "%.2x", buf[i]);
 	  if (i != data.clid_len - 1)