deadsimple BSD Security Advisories and Announcements

FreeBSD Errata Notice FreeBSD-EN-22:06.libalias

Hash: SHA512

FreeBSD-EN-22:06.libalias                                       Errata Notice
                                                          The FreeBSD Project

Topic:          Incorrect fragmented IPv4 packet handling in libalias

Category:       core
Module:         libalias
Announced:      2022-01-11
Affects:        All supported versions of FreeBSD.
Corrected:      2022-01-09 22:04:56 UTC (stable/13, 13.0-STABLE)
                2022-01-11 18:15:02 UTC (releng/13.0, 13.0-RELEASE-p6)
                2022-01-09 23:06:52 UTC (stable/12, 12.3-STABLE)
                2022-01-11 18:19:32 UTC (releng/12.3, 12.3-RELEASE-p1)

Note: This errata notice does not update FreeBSD 12.2.  FreeBSD 12.2
users affected by this update should upgrade to FreeBSD 12.3.

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit

I.   Background

The libalias(3) library is a collection of functions for aliasing and
dealiasing of IPv4 packets, intended for masquerading and network
address translation (NAT).  Additionally, libalias(3) includes modules
to support protocols that require additional logic to support address

libalias(3) is used by several FreeBSD networking components: ng_nat(4),
ipfw(4) and natd(8).

II.  Problem Description

The patch committed for SA-20:12.libalias introduced additional
validation of TCP, UDP and ICMP protocol headers.  This validation
failed to take into account the possibility of IP packet fragmentation,
and could cause libalias(3) to return the PKT_ALIAS_IGNORED status code
for the first fragment of a packet, rather than applying aliasing rules.

III. Impact

Depending on the configuration of the consumer, this bug may cause
fragmented packets to be dropped, or may cause further processing of
fragments without aliasing rules applied.  For example, if the
NG_NAT_DENY_INCOMING flag is set on an ng_nat(4) node, fragments will be
unconditionally dropped.  Similarly, if the "deny_in" flag is set for an
ipfw(4) NAT rule, fragments will be unconditionally dropped.

IV.  Workaround

No workaround is available.  Only systems using NAT via ng_nat(4),
ipfw(4) NAT rules, or natd(8) are affected.  Systems leveraging pf(4) or
ipf(4) to perform NAT are not affected.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for an errata update"

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 13.0]
# fetch
# fetch
# gpg --verify libalias.13.patch.asc

[FreeBSD 12.3]
# fetch
# fetch
# gpg --verify libalias.12.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:> and reboot the

VI.  Correction details

This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/13/                              ec746e619578    stable/13-n248913
releng/13.0/                            4378aee9f82f  releng/13.0-n244772
stable/12/                                                        r371477
releng/12.3/                                                      r371486
- -------------------------------------------------------------------------

For FreeBSD 13 and later:

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:


To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

For FreeBSD 12 and earlier:

Run the following command to see which files were modified by a particular
revision, replacing NNNNNN with the revision number:

# svn diff -cNNNNNN --summarize svn://

Or visit the following URL, replacing NNNNNN with the revision number:


VII. References


The latest revision of this advisory is available at