[Bug 286910] ifconfig(8) crashes when using "netmask" instead of "prefixlen" for inet6 deletion

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 286910] ifconfig(8) crashes when using "netmask" instead of "prefixlen" for inet6 deletion"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 286910] ifconfig(8) crashes when using "netmask" instead of "prefixlen" for inet6 deletion"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 286910] ifconfig(8) crashes when using "netmask" instead of "prefixlen" for inet6 deletion"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 286910] ifconfig(8) crashes when using "netmask" instead of "prefixlen" for inet6 deletion"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 18 May 2025 16:40:34 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286910

            Bug ID: 286910
           Summary: ifconfig(8) crashes when using "netmask" instead of
                    "prefixlen" for inet6 deletion
           Product: Base System
           Version: 14.2-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: hayzam@alchemilla.io

When attempting to delete an inet6 address using ifconfig on FreeBSD, if the
netmask keyword is mistakenly used in place of prefixlen, ifconfig crashes with
a segmentation fault. Although this is a misuse of syntax, the utility should
gracefully handle the error and return a usage or invalid argument error rather
than crashing.

Steps to reproduce:

   1) Add an IPv6 address:

      ifconfig lo0 inet6 2001:db8::1234/64

   2) Try to delete it using the wrong keyword:

      ifconfig lo0 inet6 2001:db8::1234 netmask 64 delete

Expected result:

ifconfig should reject the unsupported netmask keyword for IPv6 with an error
message and exit non-zero or treat it exactly like prefixlen?

Actual result:

ifconfig crashes with:

Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
in6_getaddr (addr_str="64", which=2) at af_inet6.c:431
431     px->set = true;

System version:

FreeBSD bsd-box 14.2-RELEASE-p1 FreeBSD 14.2-RELEASE-p1 GENERIC amd64

Notes:

Using the correct syntax works as expected:

ifconfig lo0 inet6 2001:db8::1234 prefixlen 64 delete

This appears to be a missing parser alias for netmask → prefixlen in the IPv6
command table.

Patch:

Please see the following patch, which simply adds a netmask alias so that IPv6
treats it identically to prefixlen, preventing the NULL-deref:

--- af_inet6.c.orig    2025-05-18 19:43:25.886739000 +0400
+++ af_inet6.c         2025-05-18 19:43:31.009653000 +0400
@@ -693,6 +693,7 @@
 static struct cmd inet6_cmds[] = {
     DEF_CMD_ARG("prefixlen",       setifprefixlen),
+    DEF_CMD_ARG("netmask",         setifprefixlen),
     DEF_CMD("anycast",    IN6_IFF_ANYCAST,  setip6flags),
     DEF_CMD("tentative",  IN6_IFF_TENTATIVE,setip6flags),
     DEF_CMD("-tentative", -IN6_IFF_TENTATIVE,setip6flags),

This patch has been tested on 14.2-RELEASE-p1 and prevents the segfault without
altering any other behavior.

-- 
You are receiving this mail because:
You are the assignee for the bug.