Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation fault due to self-refential union type containing leafrefs #724

Closed
jvijtiuk opened this issue Mar 8, 2019 · 4 comments
Closed
Assignees

Comments

@jvijtiuk
Copy link
Collaborator

jvijtiuk commented Mar 8, 2019

Hi,

the following yang file causes a segmentation fault in lys_parse_path, caused by a stack overflow due to too many function calls.

module mod1 {
    namespace "urn:all";
    prefix av;
    yang-version 1.1;

    leaf l1 {
        type union-type;
    }

    leaf-list list5 {
        type string;
    }

    typedef union-type {
        type union {
            type leafref {
                path /list5;
            }
            type union-type;
        }
    }
}

The issue seems to be caused due to the self-referential union-type type containing a leaf-ref.
If the list5 leaf-list is removed, the issue persists, but the stack overflow takes longer to appear.

A gdb backtrace shows that the call stack is full of lys_copy_union_leafrefs calls, called in src/tree_schema.c:1903 and src/tree_schema.c:1887.

Regards,
Juraj

@michalvasko
Copy link
Member

Hi,
should no longer crash.

Also, thanks for the nice issue reports but it is great already when you provide a simple model that can be used for reproducing the issue. No other information is necessary and you can save yourself the trouble.

Regards,
Michal

@jvijtiuk
Copy link
Collaborator Author

I've tested all the files that I reported that caused issues for libyang 1 so far, and this is the only one that causes a segmentation fault for the new parser in libyang2.

@rkrejci rkrejci self-assigned this Apr 30, 2019
@rkrejci rkrejci reopened this Apr 30, 2019
rkrejci pushed a commit that referenced this issue Apr 30, 2019
@rkrejci
Copy link
Member

rkrejci commented Apr 30, 2019

Thanks Juraj, it should be now fixed also in libyang2.

@rkrejci rkrejci closed this as completed Apr 30, 2019
@ret2libc
Copy link

CVE-2019-20395 was assigned to this issue in libyang 1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants