2020-12-08 19:23

libyang2: schema tree BUGFIX lys_compile_unres_xpath when condition null dereference


this PR fixes a NULL dereference in lys_compile_unres_xpath. The file causing the crash is below:

module d00000000 {
    namespace "n";
    prefix d;
    leaf l1 {
        type string;
        when "/l0{k='when']";

This was found through the fuzz regression tests in #1199. As fuzz regression testing uses the lys_parse_mem fuzz harness for testing, and #1199 contains a fix or the harness to bring it up to date with the new API this issue can't be reproduced with it on the libyang2 branch. However, I've attached an example that can be used to reproduce the issue below.

#include <stdio.h>
#include <libyang>

int main(int argc, char **argv) {
    struct ly_ctx *ctx = NULL;
    FILE *f = NULL;
    size_t len = 0;
    int err = 0;
    char *data = NULL;

    if (argc != 2) {
        printf("invalid number of arguments\n");
        return -1;

    err = ly_ctx_new(NULL, 0, &ctx);
    if (err != LY_SUCCESS) {
        printf("context fail\n");
        return -1;

    f = fopen(argv[1], "r");
    if (f == NULL) {
        printf("fopen fail\n");
        return -1;

    fseek(f, 0, SEEK_END);
    len = ftell(f);
    fseek(f, 0, SEEK_SET);

    data = malloc(len + 1);
    if (data == NULL) {
        printf("malloc fail\n");
        return -1;

    fread(data, len, 1, f);
    data[len] = 0;

    lys_parse_mem(ctx, data, LYS_IN_YANG, NULL);

    return 0;

When reproducing the crash, libyang logging has to be disabled, which I've done with ly_log_options(0). Otherwise the crash doesn't seem to appear.


  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • weixin_39945679 weixin_39945679 4月前

    Codecov Report

    Merging #1200 into libyang2 will decrease coverage by 0.01%. The diff coverage is n/a.

    @@             Coverage Diff              @@
    ##           libyang2    #1200      +/-   ##
    - Coverage     74.41%   74.40%   -0.01%     
      Files            39       39              
      Lines         25225    25227       +2     
      Hits          18770    18770              
    - Misses         6455     6457       +2     
    点赞 评论 复制链接分享
  • weixin_39826080 weixin_39826080 4月前

    I'm afraid that your fix just fixes a sign not the reason of the problem. And I'm afraid that the problem you discovered is complex.

    The point is in disabling logging because in that case the error information is not stored in the context. But unfortunately, we apparently have some code (checking the cond member in lys_compile_when()) which depends on having error information stored in the context.

    I'm not sure about the solution. One option is to avoid the possibility to switch off storing error information in the context. The other option is to avoid using the stored error information inside the library. The second option is probably more challenging, but probably more correct and also follows what we are trying to fulfill in public API - all the functions are supposed to return LY_ERR, other return information are provided via output parameters of the function.

    What do you think, ?

    点赞 评论 复制链接分享
  • weixin_39857792 weixin_39857792 4月前

    Hi, this should be fixed now by pull request.

    点赞 评论 复制链接分享
  • weixin_39588542 weixin_39588542 4月前

    Thanks, #1205 fixed this. The file doesn't crash on my system anymore, so I'm closing the issue.

    点赞 评论 复制链接分享