@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=ma
file://dhcpcd.service \
file://dhcpcd@.service \
file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \
+ file://CVE-2026-56113.patch \
"
SRCREV = "42ff6d2548209af3185473e6cb6f9d235c48bbf4"
new file mode 100644
@@ -0,0 +1,92 @@
+From 7c4a5dbae8ff99f8d3c2d8c1d3be95b60ffb4485 Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Tue, 23 Jun 2026 02:17:10 +0100
+Subject: [PATCH] DHCPv6: When deprecating addresses, restart on prefix
+ deletions
+
+As that might invalidate the next address to iterate on.
+
+Reported-by: CuB3y0nd <root@cubeyond.net>
+
+(cherry picked from commit 5733d3c59a5651f64357ac11c98b4f39895c8d25)
+
+CVE: CVE-2026-56113
+Upstream-Status: Backport [https://github.com/NetworkConfiguration/dhcpcd/commit/5733d3c59a5651f64357ac11c98b4f39895c8d25]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/dhcp6.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/src/dhcp6.c b/src/dhcp6.c
+index 91341994..8a8a20a0 100644
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -2593,12 +2593,13 @@ dhcp6_findia(struct interface *ifp, struct dhcp6_message *m, size_t l,
+ }
+
+ #ifndef SMALL
+-static void
++static bool
+ dhcp6_deprecatedele(struct ipv6_addr *ia)
+ {
+ struct ipv6_addr *da, *dan, *dda;
+ struct timespec now;
+ struct dhcp6_state *state;
++ bool freed = false;
+
+ timespecclear(&now);
+ TAILQ_FOREACH_SAFE(da, &ia->pd_pfxs, pd_next, dan) {
+@@ -2624,11 +2625,14 @@ dhcp6_deprecatedele(struct ipv6_addr *ia)
+ if (IN6_ARE_ADDR_EQUAL(&dda->addr, &da->addr))
+ break;
+ }
+- if (dda != NULL) {
++ if (dda != ia && dda != NULL) {
+ TAILQ_REMOVE(&state->addrs, dda, next);
+ ipv6_freeaddr(dda);
++ freed = true;
+ }
+ }
++
++ return freed;
+ }
+ #endif
+
+@@ -2636,7 +2640,11 @@ static void
+ dhcp6_deprecateaddrs(struct ipv6_addrhead *addrs)
+ {
+ struct ipv6_addr *ia, *ian;
++#ifndef SMALL
++ bool again;
++#endif
+
++again:
+ TAILQ_FOREACH_SAFE(ia, addrs, next, ian) {
+ if (ia->flags & IPV6_AF_EXTENDED)
+ ;
+@@ -2658,7 +2666,9 @@ dhcp6_deprecateaddrs(struct ipv6_addrhead *addrs)
+ /* If we delegated from this prefix, deprecate or remove
+ * the delegations. */
+ if (ia->flags & IPV6_AF_PFXDELEGATION)
+- dhcp6_deprecatedele(ia);
++ again = dhcp6_deprecatedele(ia);
++ else
++ again = false;
+ #endif
+
+ if (ia->flags & IPV6_AF_REQUEST) {
+@@ -2671,6 +2681,11 @@ dhcp6_deprecateaddrs(struct ipv6_addrhead *addrs)
+ if (!(ia->flags & IPV6_AF_EXTENDED))
+ ipv6_deleteaddr(ia);
+ ipv6_freeaddr(ia);
++#ifndef SMALL
++ /* Deletion may invalidate the next pointer so restart */
++ if (again)
++ goto again;
++#endif
+ }
+ }
+
+--
+2.43.0
+