php crash report ipv6 pfblocker
-
Hi,
I have started using ipv6 a few weeks ago, and since the day before yesterday I had 2 crash report from pfblockerng:
PHP ERROR: Type: 1, File: /usr/local/share/pear/Net/IPv6.php, Line: 684, Message: Uncaught ValueError: str_repeat(): Argument #2 ($times) must be greater than or equal to 0 in /usr/local/share/pear/Net/IPv6.php:684 Stack trace: #0 /usr/local/share/pear/Net/IPv6.php(684): str_repeat(':0:', -1) #1 /usr/local/share/pear/Net/IPv6.php(1157): Net_IPv6::uncompress('2001:1009:1...') #2 /usr/local/share/pear/Net/IPv6.php(450): Net_IPv6::_ip2Bin('2001:1009:1...') #3 /usr/local/pkg/pfblockerng/pfblockerng.inc(3868): Net_IPv6::isInNetmask('2001:1009:1...', '2001:1009:1...') #4 /usr/local/pkg/pfblockerng/pfblockerng.inc(5648): find_reported_header('2001:1009:1...', '/var/db/pfblock...', false) #5 /usr/local/pkg/pfblockerng/pfblockerng.inc(1032): pfb_daemon_filterlog() #6 {main} thrown @ 2024-07-13 11:22:08I did not change de ipv6 rules recently. Is it outside trafic causing a bug? Or did I mess up the configuration?
-
@sbs said in php crash report ipv6 pfblocker:
str_repeat
The error is hidden behind the 3 dots :
is this IPv6 known, can you show it ?
Normally, "Pear" is pretty rock solid, and can deal with correct input information, and also the BS info.
Seeing it failing like this is .... strange.
So, again : what was the IPv6 ?If this IPv6 wasn't yours = one of your LAN devices, then sorry, but you have to go over the most recent updated IPv6 feeds, and find the one that contains an invalid IPv6, something like
2a01:cb19:beef:a6eb**::**77ff**::**392cwhere the double :: occurring twice is totally wrong => it will fail.
Btw : pfSense version ?
pfBlockerng version ? -
Hi
the ... is the in stack trace, I only remove part of the IP, but here is a a full line ;
#1 /usr/local/share/pear/Net/IPv6.php(1157): Net_IPv6::uncompress('2001:867:1009:1...')since there were 9 more occurences of this error today.
So I do not know which IP is creating the issue. I understand that parsing an IP with more than 1 :: will fail.
PFSense version ;
2.7.2-RELEASE (amd64) built on Mon Mar 4 20:53:00 CET 2024 FreeBSD 14.0-CURRENTPfBlockerNg version : 3.2.0_8 (from package manager)
-
It seems that the error occurs when I force an update.
Is there a simple way I could add a echo_to_file_in/tmp juste before line :
$validate = (Net_IPv6::isInNetmask($ip, $line[1]));
this way I coudl correlate with the crash date and find the responsible ip. -
ok I have traced the IPs and it seems that while
2001:867:xxxx::1/64 is accepted as a valid mask it will crash when matching an ip in the range.
I removed the 1 from the mask in my static ip file and it seems that the error is gone for now. -
Hi,
I was seeing the same error, mostly with this IP list: https://api.gcore.com/cdn/public-ip-list
Since ASN are currently not resolved and for reliability, I'm loading the lists from an internal repo anyway and tried my best to remove or reformat "problematic" IPs - without success.
Then I had a closer look at /usr/local/share/pear/Net/IPv6.php and compared it to the public source. It seems that, at least in my case with pfBlocker 3.2.0_8 on CE 2.7.2, the file is missing an old fix for this problem:
https://github.com/pear/Net_IPv6/commit/70080426d3ac9da4908f9277824694e5eda68985After changing line 684 from
$fill = str_repeat(':0:', 6-$c2-$c1);to$fill = str_repeat(':0:', max(1, 6-$c2-$c1));, the error is gone.
