php crash report ipv6 pfblocker

sbs · Jul 14, 2024, 7:41 AM

Hi,

I have started using ipv6 a few weeks ago, and since the day before yesterday I had 2 crash report from pfblockerng:

PHP ERROR: Type: 1, File: /usr/local/share/pear/Net/IPv6.php, Line: 684, Message: Uncaught ValueError: str_repeat(): Argument #2 ($times) must be greater than or equal to 0 in /usr/local/share/pear/Net/IPv6.php:684
Stack trace:
#0 /usr/local/share/pear/Net/IPv6.php(684): str_repeat(':0:', -1)
#1 /usr/local/share/pear/Net/IPv6.php(1157): Net_IPv6::uncompress('2001:1009:1...')
#2 /usr/local/share/pear/Net/IPv6.php(450): Net_IPv6::_ip2Bin('2001:1009:1...')
#3 /usr/local/pkg/pfblockerng/pfblockerng.inc(3868): Net_IPv6::isInNetmask('2001:1009:1...', '2001:1009:1...')
#4 /usr/local/pkg/pfblockerng/pfblockerng.inc(5648): find_reported_header('2001:1009:1...', '/var/db/pfblock...', false)
#5 /usr/local/pkg/pfblockerng/pfblockerng.inc(1032): pfb_daemon_filterlog()
#6 {main}
thrown @ 2024-07-13 11:22:08

I did not change de ipv6 rules recently. Is it outside trafic causing a bug? Or did I mess up the configuration?

Gertjan · Jul 15, 2024, 1:39 PM

@sbs said in php crash report ipv6 pfblocker:

str_repeat

The error is hidden behind the 3 dots :

is this IPv6 known, can you show it ?

Normally, "Pear" is pretty rock solid, and can deal with correct input information, and also the BS info.
Seeing it failing like this is .... strange.
So, again : what was the IPv6 ?

If this IPv6 wasn't yours = one of your LAN devices, then sorry, but you have to go over the most recent updated IPv6 feeds, and find the one that contains an invalid IPv6, something like

2a01:cb19:beef:a6eb**::**77ff**::**392c

where the double :: occurring twice is totally wrong => it will fail.

Btw : pfSense version ?
pfBlockerng version ?

sbs · Jul 16, 2024, 9:20 AM

Hi
the ... is the in stack trace, I only remove part of the IP, but here is a a full line ;
#1 /usr/local/share/pear/Net/IPv6.php(1157): Net_IPv6::uncompress('2001:867:1009:1...')

since there were 9 more occurences of this error today.

So I do not know which IP is creating the issue. I understand that parsing an IP with more than 1 :: will fail.

PFSense version ;

2.7.2-RELEASE (amd64)
built on Mon Mar 4 20:53:00 CET 2024
FreeBSD 14.0-CURRENT

PfBlockerNg version : 3.2.0_8 (from package manager)

sbs · Jul 17, 2024, 9:10 PM

It seems that the error occurs when I force an update.

Is there a simple way I could add a echo_to_file_in/tmp juste before line :
$validate = (Net_IPv6::isInNetmask($ip, $line[1]));
this way I coudl correlate with the crash date and find the responsible ip.

sbs · Jul 17, 2024, 9:43 PM

ok I have traced the IPs and it seems that while

2001:867:xxxx::1/64 is accepted as a valid mask it will crash when matching an ip in the range.
I removed the 1 from the mask in my static ip file and it seems that the error is gone for now.

Morlock · Aug 19, 2024, 2:04 PM

Hi,

I was seeing the same error, mostly with this IP list: https://api.gcore.com/cdn/public-ip-list

Since ASN are currently not resolved and for reliability, I'm loading the lists from an internal repo anyway and tried my best to remove or reformat "problematic" IPs - without success.

Then I had a closer look at /usr/local/share/pear/Net/IPv6.php and compared it to the public source. It seems that, at least in my case with pfBlocker 3.2.0_8 on CE 2.7.2, the file is missing an old fix for this problem:
https://github.com/pear/Net_IPv6/commit/70080426d3ac9da4908f9277824694e5eda68985

After changing line 684 from $fill = str_repeat(':0:', 6-$c2-$c1); to $fill = str_repeat(':0:', max(1, 6-$c2-$c1));, the error is gone.