-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-24:14.ifconfig Errata Notice The FreeBSD Project Topic: Incorrect ifconfig netmask assignment Category: core Module: ifconfig Announced: 2024-08-07 Affects: FreeBSD 14.0 and later Corrected: 2024-06-15 15:24:59 UTC (stable/14, 14.1-STABLE) 2024-08-07 13:44:28 UTC (releng/14.1, 14.1-RELEASE-p3) 2024-08-07 13:44:41 UTC (releng/14.0, 14.0-RELEASE-p9) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Prior to the advent of classless inter-domain routing (CIDR), the IPv4 address space was divided into classes based on how many of an address's most-significant bits were set. Since the class dictated the network mask, it was not necessary to specify the mask when configuring an interface. Even after CIDR was introduced, FreeBSD continued to allow the network mask to be omitted, for backward compatibility reasons. II. Problem Description When FreeBSD switched from using ioctl(2) to using Netlink sockets to configure network interfaces, the logic for determining the default mask in cases where one was not explicitly provided was inadvertantly inverted, resulting in class A addresses getting a prefix size of 24 instead of 8, and vice versa for class C addresses. Class B addresses were not affected. III. Impact FreeBSD hosts which still rely on default network mask assignment and have addresses in the old class A (0.0.0.0-127.255.255.255) or class C (192.0.0.0-223.255.255.255) ranges will have an incorrect network mask. The exact consequences will vary depending on the direction of the error and the relative positions of the affected host and its default router within the local address space. Affected hosts should still be able to communicate with at least a subset of their local network, and may also be able to communicate with a subset of the wider network, but will typically lose the ability to communicate with any address which is not within both the actual local address space and the misconfigured local address space. This may include their default router. IV. Workaround Make sure to always specify either a network mask or a prefix size when adding IPv4 addresses to network interfaces. For instance, in a VM with a paravirtualized network interface and an IPv4 address of 192.0.2.5 (historically class C), use either of the following in /etc/rc.conf or /etc/rc.conf.d/network: ifconfig_vtnet0="inet 192.0.2.5/24" or ifconfig_vtnet0="inet 192.0.2.5 netmask 255.255.255.0" V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-24:14/ifconfig.patch # fetch https://security.FreeBSD.org/patches/EN-24:14/ifconfig.patch.asc # gpg --verify ifconfig.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 048ad7a9ef9f stable/14-n267957 releng/14.1/ b9115dba07e8 releng/14.1-n267692 releng/14.0/ 01792dd7f27b releng/14.0-n265424 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhZwACgkQbljekB8A Gu/6HBAA1PB3WA8wuqi2iebMvqZ1iM0Oh0sb9JotX8VFpO7zWpIHImITbLvWjYEm 0YMb62mJNiKBVxRf0p1SWhOqRJcJAVNxU8U8wb6p7UJ2LXnLgU7t3kLNVdKN+Yq5 jIMBOHpIJz/na/LsOEtxtneCvnNL+lOQ4NkHLKfFOUtf0PkAn2nUVnYyA+PGH/3l VQFxSCQCB3CxNMeiI5R2x9ZdaESfNdn/qh6vZcca2fl6seWMQaoqwzxrtBS1VXsR 1LofhqJsOvIDOkKS5SFLIGMfPdETl2jmd+YrG9ujXWYcyvaQxfRE66RRT1AROCXb +vD8MXc7q3gtjAV398iYdMwf7eqbPngX6xZCLPs6PR96eaa1tGTK0+cdan7CfHFB WahFo1md9kORCq2DLkLhekdJjy1+4J9KsMjGWLYRILZNPHU/IvAGFS1czFMPmTbm V1IHWeszDUPgjKlp0m59CsGjwcyJnIeZBnTMiMQ5EM29zEOUdgCayz2/v6JaEgwb 7xCb5x0HzyR0hM4GDG8ccNe8VQFSm6McRSWb77zXnB5Lp2aCug9VwuUN1mJNdQVp 3O5tm+Wd5HeA15YubO4aQ3aUTdsk92BZ9cxorn2dOTlE8vyxmqLk7KYs0644Dzmv IxRNYmBfb/trIWDLW7QZTVXtoSpTjdNvQG0+yEAFDTfTuAe0qVM= =+Q9R -----END PGP SIGNATURE-----