weixin_39588542
weixin_39588542
2020-12-01 13:50

Double free or corruption in lys_parse_path

The following file causes a double free. The value is freed at tree_schema.c:2891 and seems to be allocated at parser.c:624.


module state-lists {
    yang-version 1.1;
    namespace "urn:state-lists";
    prefix sl;

    container cont {
        config false;
        grouping group1 {
            leaf leaf3 {
                type tdef2 {
                    length "3..9 | 30..40";
                    pattern "[ac
                }*";
            }

            units "none";
            default "aaa";
        }

        typedef tdef2 {
            type string {
                length "2..17 | 20..50";
                pattern "[ab]*";
            }
        }

        container cont1 {
            uses group1 {
                if-feature "feat2";
                refine "leaf1" {
                    if-feature "feat3";
                    must "24 - 4 = number('20')";
                    default "25";
                    config true;
                    mandatory false;
                    description "dsc";
                    reference "none";
                }
            }

            leaf leaf4 {
                type int64 {
                    range "1000 .. 50000" {
                        error-message
                        "Special e        
                    }
                    .";
                }
            }
        }

      }
    }
  }
}

该提问来源于开源项目:CESNET/libyang

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

5条回答

  • weixin_39588542 weixin_39588542 4月前

    This file also causes a hang in yanglint on the libyang2 branch.

    点赞 评论 复制链接分享
  • weixin_39857792 weixin_39857792 4月前

    Hi Juraj, we have decided continuing to fuzz the current YANG parser does not make much sense, so it would be great if you could use the one from libyang2 branch. Also, best way of sharing binary modules is to attach them here directly (zipped maybe).

    Regards, Michal

    点赞 评论 复制链接分享
  • weixin_39588542 weixin_39588542 4月前

    Ok, I will set up the fuzzer to fuzz the libyang2 parser, and test the remaining bugs the fuzzer found with the new parser.

    Regards, Juraj

    点赞 评论 复制链接分享
  • weixin_39826080 weixin_39826080 4月前

    should be fixed in libyang2

    点赞 评论 复制链接分享
  • weixin_39588542 weixin_39588542 4月前

    libyang2 now successfully reports that the input is not valid, so I'm closing the issue.

    点赞 评论 复制链接分享