-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-24:14.ifconfig Errata Notice
The FreeBSD Project
Topic: Incorrect ifconfig netmask assignment
Category: core
Module: ifconfig
Announced: 2024-08-07
Affects: FreeBSD 14.0 and later
Corrected: 2024-06-15 15:24:59 UTC (stable/14, 14.1-STABLE)
2024-08-07 13:44:28 UTC (releng/14.1, 14.1-RELEASE-p3)
2024-08-07 13:44:41 UTC (releng/14.0, 14.0-RELEASE-p9)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
Prior to the advent of classless inter-domain routing (CIDR), the IPv4
address space was divided into classes based on how many of an address's
most-significant bits were set. Since the class dictated the network
mask, it was not necessary to specify the mask when configuring an
interface. Even after CIDR was introduced, FreeBSD continued to allow
the network mask to be omitted, for backward compatibility reasons.
II. Problem Description
When FreeBSD switched from using ioctl(2) to using Netlink sockets to
configure network interfaces, the logic for determining the default mask
in cases where one was not explicitly provided was inadvertantly
inverted, resulting in class A addresses getting a prefix size of 24
instead of 8, and vice versa for class C addresses. Class B addresses
were not affected.
III. Impact
FreeBSD hosts which still rely on default network mask assignment and
have addresses in the old class A (0.0.0.0-127.255.255.255) or class C
(192.0.0.0-223.255.255.255) ranges will have an incorrect network mask.
The exact consequences will vary depending on the direction of the error
and the relative positions of the affected host and its default router
within the local address space. Affected hosts should still be able to
communicate with at least a subset of their local network, and may also
be able to communicate with a subset of the wider network, but will
typically lose the ability to communicate with any address which is not
within both the actual local address space and the misconfigured local
address space. This may include their default router.
IV. Workaround
Make sure to always specify either a network mask or a prefix size when
adding IPv4 addresses to network interfaces. For instance, in a VM with
a paravirtualized network interface and an IPv4 address of 192.0.2.5
(historically class C), use either of the following in /etc/rc.conf or
/etc/rc.conf.d/network:
ifconfig_vtnet0="inet 192.0.2.5/24"
or
ifconfig_vtnet0="inet 192.0.2.5 netmask 255.255.255.0"
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-24:14/ifconfig.patch
# fetch https://security.FreeBSD.org/patches/EN-24:14/ifconfig.patch.asc
# gpg --verify ifconfig.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/14/ 048ad7a9ef9f stable/14-n267957
releng/14.1/ b9115dba07e8 releng/14.1-n267692
releng/14.0/ 01792dd7f27b releng/14.0-n265424
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-24:14.ifconfig.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmazhZwACgkQbljekB8A
Gu/6HBAA1PB3WA8wuqi2iebMvqZ1iM0Oh0sb9JotX8VFpO7zWpIHImITbLvWjYEm
0YMb62mJNiKBVxRf0p1SWhOqRJcJAVNxU8U8wb6p7UJ2LXnLgU7t3kLNVdKN+Yq5
jIMBOHpIJz/na/LsOEtxtneCvnNL+lOQ4NkHLKfFOUtf0PkAn2nUVnYyA+PGH/3l
VQFxSCQCB3CxNMeiI5R2x9ZdaESfNdn/qh6vZcca2fl6seWMQaoqwzxrtBS1VXsR
1LofhqJsOvIDOkKS5SFLIGMfPdETl2jmd+YrG9ujXWYcyvaQxfRE66RRT1AROCXb
+vD8MXc7q3gtjAV398iYdMwf7eqbPngX6xZCLPs6PR96eaa1tGTK0+cdan7CfHFB
WahFo1md9kORCq2DLkLhekdJjy1+4J9KsMjGWLYRILZNPHU/IvAGFS1czFMPmTbm
V1IHWeszDUPgjKlp0m59CsGjwcyJnIeZBnTMiMQ5EM29zEOUdgCayz2/v6JaEgwb
7xCb5x0HzyR0hM4GDG8ccNe8VQFSm6McRSWb77zXnB5Lp2aCug9VwuUN1mJNdQVp
3O5tm+Wd5HeA15YubO4aQ3aUTdsk92BZ9cxorn2dOTlE8vyxmqLk7KYs0644Dzmv
IxRNYmBfb/trIWDLW7QZTVXtoSpTjdNvQG0+yEAFDTfTuAe0qVM=
=+Q9R
-----END PGP SIGNATURE-----