lyd_validate may pass freed pointer to lyd_defaults_add_unres #390
Description
In function function lyd_validate
below line assigns data_tree
lyd_validate(struct lyd_node **node, int options, void *var_arg)
{
struct lyd_node *root, *next1, *next2, *iter, *act_notif = NULL, *to_free = NULL, *data_tree = NULL;
struct ly_ctx *ctx = NULL;
int ret = EXIT_FAILURE, i;
struct unres_data *unres = NULL;
struct ly_set *set;
ly_err_clean(1);
if (!node) {
ly_errno = LY_EINVAL;
return EXIT_FAILURE;
}
unres = calloc(1, sizeof *unres);
LY_CHECK_ERR_RETURN(!unres, LOGMEM, EXIT_FAILURE);
data_tree = *node; --- **This line store the pointer**
Below code in function set the *node to NULL, data_tree is not set to to NULL but it may be freed in lyd_free
if (to_free) {
if ((*node) == to_free) {
*node = NULL;
}
lyd_free(to_free); --- **This line free the pointer**
to_free = NULL;
}
So when below function is called with data_tree may lead to invalid memory access, Please check
Code from lyd_defaults_add_unres
lyd_defaults_add_unres(struct lyd_node **root, int options, struct ly_ctx *ctx, const struct lyd_node *data_tree,
struct lyd_node *act_notif, struct unres_data *unres)
{
struct lyd_node *msg_sibling = NULL, *msg_parent = NULL, *data_tree_sibling = NULL, *data_tree_parent = NULL;
int ret = EXIT_FAILURE;
assert(root && unres && !(options & LYD_OPT_ACT_NOTIF));
assert(!data_tree || !data_tree->prev->next); --- **This line may cause freed memory access**