Project

General

Profile

Actions

Bug #13973

closed

PHP error in ``gwlb.inc`` when OpenVPN or IPsec instances referred to by assigned interface entries are missing

Added by YP Lo almost 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
Interfaces
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.05
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:

Description

I have previously configured OpenVPN interface and OpenVPN, but subsequently removed OpenVPN configuration but leaving in-place the OpenVPN interface.

In latest gwlb.inc, it is incorrectly trying to access the configuration item and causing PHP error...

[17-Feb-2023 01:44:16 Asia/Singapore] PHP Fatal error:  Uncaught TypeError: Cannot access offset of type string on string in /etc/inc/gwlb.inc:804
Stack trace:
#0 /etc/inc/gwlb.inc(468): return_gateways_array()
#1 /etc/inc/interfaces.inc(1560): return_gateways_status(true)
#2 /etc/inc/interfaces.inc(1739): interfaces_ipsec_vti_configure()
#3 /etc/rc.bootup(259): interfaces_configure()
#4 {main}
  thrown in /etc/inc/gwlb.inc on line 804 

An example of the configuration causing such error...

Interface definition of offending section

> <?xml version="1.0"?>
> <pfsense>
> > <version>22.8</version>
> > <lastchange></lastchange>
> > <interfaces>
> > > <opt5>
> > > > <descr><![CDATA[OPENVPN_VLAN]]></descr>
> > > > <if>ovpns1</if>
> > > > <spoofmac></spoofmac>
> > > > <enable></enable>
> > > </opt5>
> > …
> > <openvpn></openvpn>

Offending line is...


    switch ($ifcfg['ipaddr']) {

                                                 case "dhcp":

                                                 case "pppoe":

                                                 case "l2tp":

                                                 case "pptp":

                                                 case "ppp":

                                                                $ctype = strtoupper($ifcfg['ipaddr']);

                                                                break;

                                                 default:

                                                                $tunnelif = substr($ifcfg['if'], 0, 3);

                                                                if (substr($ifcfg['if'], 0, 4) == "ovpn") {

                                                                               switch (substr($ifcfg['if'], 4, 1)) {

                                                                                              case "c":

                                                                                                             $ovpntype = "openvpn-client";

                                                                                                             break;

                                                                                              case "s":

                                                                                                             $ovpntype = "openvpn-server";

                                                                                                             break;

                                                                                              default:

                                                                                                             // unknown ovpn type

                                                                                                             continue 3;

                                                                               }

                                                                               $ovpnid = substr($ifcfg['if'], 5);

                                                                               if (is_array($config['openvpn'][$ovpntype])) {

                                                                                              foreach ($config['openvpn'][$ovpntype] as & $ovpnconf) {

                                                                                                             if ($ovpnconf['vpnid'] == $ovpnid) {

                                                                                                                            // skip IPv6-only interfaces

                                                                                                                            if ($ovpnconf['create_gw'] == "v6only") {

                                                                                                                                           continue 3;

                                                                                                                            }

                                                                                                                            // skip tap interfaces

                                                                                                                            if ($ovpnconf['dev_mode'] == "tap") {

                                                                                                                                           continue 3;

                                                                                                                            }

                                                                                                             }

                                                                                              } 

Actions #1

Updated by Jim Pingle almost 2 years ago

  • Project changed from pfSense Plus to pfSense
  • Subject changed from /etc/inc/gwlb.inc incorrectly accessing OpenVPN config when interface ovpnsx configured but without OpenVPN configuration to Removing an assigned OpenVPN instance without removing the assignment first results in a PHP error in ``gwlb.inc``
  • Category changed from Configuration Backend to OpenVPN
  • Target version set to 2.7.0
  • Affected Plus Version deleted (23.01)
  • Plus Target Version set to 23.05

You assigned an OpenVPN server as an interface, then removed the server entry but not the assignment? That isn't a valid configuration. It shouldn't throw an error like that, but it's not valid.

If you remove the invalid assignment from Interfaces > Assignments the error wouldn't happen.

It probably also warrants adding input validation preventing deleting an assigned OpenVPN instance.

Actions #2

Updated by Jim Pingle almost 2 years ago

  • Status changed from New to In Progress
  • Assignee set to Jim Pingle
Actions #3

Updated by Jim Pingle almost 2 years ago

  • Subject changed from Removing an assigned OpenVPN instance without removing the assignment first results in a PHP error in ``gwlb.inc`` to PHP error on ``gwlb.inc`` when assigned OpenVPN or IPsec interface entries are missing

There is already a check which prevents deleting an assigned VPN instance, so it's not clear how this situation may have happened unless (a) there was some manual config editing involved, or (b) the change was made before the in-use check was added.

That said, I'm pushing a fix that should handle this better in both OpenVPN and IPsec.

Actions #4

Updated by Jim Pingle almost 2 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Danilo Zrenjanin over 1 year ago

  • Status changed from Feedback to Resolved

I was able to replicate the issue by manually removing the OpenVPN server from the XML backup config file but leaving the assigned OpenVPN interface.

The patch prevents PHP errors even with such a scenario. I am marking this ticket resolved.

Tested the patch against:

23.01-RELEASE (amd64)
built on Fri Feb 10 20:06:33 UTC 2023
FreeBSD 14.0-CURRENT

Actions #6

Updated by Jim Pingle over 1 year ago

  • Subject changed from PHP error on ``gwlb.inc`` when assigned OpenVPN or IPsec interface entries are missing to PHP error in ``gwlb.inc`` when OpenVPN or IPsec instances referred to by assigned interface entries are missing
  • Category changed from OpenVPN to Interfaces

Updating subject for release notes.

Actions #7

Updated by Jim Pingle over 1 year ago

  • Affected Version set to 2.7.0
Actions

Also available in: Atom PDF