Bug #13973
closed
PHP error in ``gwlb.inc`` when OpenVPN or IPsec instances referred to by assigned interface entries are missing
100%
Description
I have previously configured OpenVPN interface and OpenVPN, but subsequently removed OpenVPN configuration but leaving in-place the OpenVPN interface.
In latest gwlb.inc, it is incorrectly trying to access the configuration item and causing PHP error...
[17-Feb-2023 01:44:16 Asia/Singapore] PHP Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /etc/inc/gwlb.inc:804
Stack trace:
#0 /etc/inc/gwlb.inc(468): return_gateways_array()
#1 /etc/inc/interfaces.inc(1560): return_gateways_status(true)
#2 /etc/inc/interfaces.inc(1739): interfaces_ipsec_vti_configure()
#3 /etc/rc.bootup(259): interfaces_configure()
#4 {main}
thrown in /etc/inc/gwlb.inc on line 804
An example of the configuration causing such error...
Interface definition of offending section > <?xml version="1.0"?> > <pfsense> > > <version>22.8</version> > > <lastchange></lastchange> > > <interfaces> > > > <opt5> > > > > <descr><![CDATA[OPENVPN_VLAN]]></descr> > > > > <if>ovpns1</if> > > > > <spoofmac></spoofmac> > > > > <enable></enable> > > > </opt5> > > … > > <openvpn></openvpn>
Offending line is...
switch ($ifcfg['ipaddr']) {
case "dhcp":
case "pppoe":
case "l2tp":
case "pptp":
case "ppp":
$ctype = strtoupper($ifcfg['ipaddr']);
break;
default:
$tunnelif = substr($ifcfg['if'], 0, 3);
if (substr($ifcfg['if'], 0, 4) == "ovpn") {
switch (substr($ifcfg['if'], 4, 1)) {
case "c":
$ovpntype = "openvpn-client";
break;
case "s":
$ovpntype = "openvpn-server";
break;
default:
// unknown ovpn type
continue 3;
}
$ovpnid = substr($ifcfg['if'], 5);
if (is_array($config['openvpn'][$ovpntype])) {
foreach ($config['openvpn'][$ovpntype] as & $ovpnconf) {
if ($ovpnconf['vpnid'] == $ovpnid) {
// skip IPv6-only interfaces
if ($ovpnconf['create_gw'] == "v6only") {
continue 3;
}
// skip tap interfaces
if ($ovpnconf['dev_mode'] == "tap") {
continue 3;
}
}
}
Updated by Jim Pingle about 1 year ago
- Project changed from pfSense Plus to pfSense
- Subject changed from /etc/inc/gwlb.inc incorrectly accessing OpenVPN config when interface ovpnsx configured but without OpenVPN configuration to Removing an assigned OpenVPN instance without removing the assignment first results in a PHP error in ``gwlb.inc``
- Category changed from Configuration Backend to OpenVPN
- Target version set to 2.7.0
- Affected Plus Version deleted (
23.01) - Plus Target Version set to 23.05
You assigned an OpenVPN server as an interface, then removed the server entry but not the assignment? That isn't a valid configuration. It shouldn't throw an error like that, but it's not valid.
If you remove the invalid assignment from Interfaces > Assignments the error wouldn't happen.
It probably also warrants adding input validation preventing deleting an assigned OpenVPN instance.
Updated by Jim Pingle about 1 year ago
- Status changed from New to In Progress
- Assignee set to Jim Pingle
Updated by Jim Pingle about 1 year ago
- Subject changed from Removing an assigned OpenVPN instance without removing the assignment first results in a PHP error in ``gwlb.inc`` to PHP error on ``gwlb.inc`` when assigned OpenVPN or IPsec interface entries are missing
There is already a check which prevents deleting an assigned VPN instance, so it's not clear how this situation may have happened unless (a) there was some manual config editing involved, or (b) the change was made before the in-use check was added.
That said, I'm pushing a fix that should handle this better in both OpenVPN and IPsec.
Updated by Jim Pingle about 1 year ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 0dbc2d6a7679e85d69bae85ec57d90674e393ea8.
Updated by Danilo Zrenjanin about 1 year ago
- Status changed from Feedback to Resolved
I was able to replicate the issue by manually removing the OpenVPN server from the XML backup config file but leaving the assigned OpenVPN interface.
The patch prevents PHP errors even with such a scenario. I am marking this ticket resolved.
Tested the patch against:
23.01-RELEASE (amd64) built on Fri Feb 10 20:06:33 UTC 2023 FreeBSD 14.0-CURRENT
Updated by Jim Pingle about 1 year ago
- Subject changed from PHP error on ``gwlb.inc`` when assigned OpenVPN or IPsec interface entries are missing to PHP error in ``gwlb.inc`` when OpenVPN or IPsec instances referred to by assigned interface entries are missing
- Category changed from OpenVPN to Interfaces
Updating subject for release notes.