experiments/clixon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixed xpath crashes discovered by fuzzing

Browse source 
Added fuzz code for xpath
Test: added negative xpath tests
This commit is contained in:
Olof hagsand 2022-11-04 16:12:22 +01:00
parent 05cdbf5c4f
commit 779fcf5458
16 changed files with 197 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

34
lib/src/clixon_xpath_eval.c
View file

@ -433,7 +433,10 @@ xp_eval_step(xp_ctx *xc0,
*xrp = xc;
xc = NULL;
}
assert(*xrp);
if (*xrp == NULL){
clicon_err(OE_XML, 0, "Internal error xrp is NULL");
goto done;
}
retval = 0;
done:
if (xc)
@ -488,9 +491,11 @@ xp_eval_predicate(xp_ctx *xc,
if ((xr0 = ctx_dup(xc)) == NULL)
goto done;
}
if (xs->xs_c1){ /* Second child */
/* Loop over each node in the nodeset */
assert (xr0->xc_type == XT_NODESET);
// alt set nodeset to NULL
if (xs->xs_c1 && xr0->xc_type == XT_NODESET){ /* Second child */
/* Loop over each node in the nodeset
* XXX: alt to check xr0 is nodeset: set new var nodeset to NULL
*/
if ((xr1 = malloc(sizeof(*xr1))) == NULL){
clicon_err(OE_UNIX, errno, "malloc");
goto done;
@ -707,6 +712,7 @@ xp_relop(xp_ctx *xc1,
char *s2;
int reverse = 0;
double n1, n2;
char *xb;
if (xc1 == NULL || xc2 == NULL){
clicon_err(OE_UNIX, EINVAL, "xc1 or xc2 NULL");
@ -725,12 +731,15 @@ xp_relop(xp_ctx *xc1,
/* If both are node-sets, then it is true iff the string value of one
node in the first node-set and one in the second node-set is true */
for (i=0; i<xc1->xc_size; i++){
if ((s1 = xml_body(xc1->xc_nodeset[i])) == NULL){
/* node in nodeset */
if ((x = xc1->xc_nodeset[i]) == NULL ||
(s1 = xml_body(x)) == NULL){
xr->xc_bool = 0;
goto ok;
}
for (j=0; j<xc2->xc_size; j++){
if ((s2 = xml_body(xc2->xc_nodeset[j])) == NULL){
if ((x = xc2->xc_nodeset[j]) == NULL ||
(s2 = xml_body(x)) == NULL){
xr->xc_bool = 0;
goto ok;
}
@ -839,8 +848,11 @@ xp_relop(xp_ctx *xc1,
the other string is true.*/
s2 = xc2->xc_string;
for (i=0; i<xc1->xc_size; i++){
x = xc1->xc_nodeset[i]; /* node in nodeset */
s1 = xml_body(x);
/* node in nodeset */
if ((x = xc1->xc_nodeset[i]) == NULL)
s1 = NULL;
else
s1 = xml_body(x);
switch(op){
case XO_EQ:
if (s1 == NULL && s2 == NULL)
@ -877,8 +889,10 @@ xp_relop(xp_ctx *xc1,
break;
case XT_NUMBER:
for (i=0; i<xc1->xc_size; i++){
x = xc1->xc_nodeset[i]; /* node in nodeset */
if (sscanf(xml_body(x), "%lf", &n1) != 1)
/* node in nodeset */
if ((x = xc1->xc_nodeset[i]) == NULL ||
(xb = xml_body(x)) == NULL ||
sscanf(xb, "%lf", &n1) != 1)
n1 = NAN;
n2 = xc2->xc_number;
switch(op){

4
lib/src/clixon_xpath_parse.y
View file

@ -330,8 +330,9 @@ xp_nodetest_function(clixon_xpath_yacc *xpy,
xpath_tree *xtret = NULL;
cbuf *cb = NULL;
enum clixon_xpath_function fn;
int ret;
if ((fn = xp_fnname_str2int(name)) < 0){
if ((ret = xp_fnname_str2int(name)) < 0){
if ((cb = cbuf_new()) == NULL){
clicon_err(OE_XML, errno, "cbuf_new");
goto done;
@ -340,6 +341,7 @@ xp_nodetest_function(clixon_xpath_yacc *xpy,
clixon_xpath_parseerror(xpy, cbuf_get(cb));
goto done;
}
fn = (enum clixon_xpath_function)ret;
switch (fn){
case XPATHFN_COMMENT: /* Group of not implemented node functions */
case XPATHFN_PROCESSING_INSTRUCTIONS:

2
lib/src/clixon_yang_cardinality.c
View file

@ -457,7 +457,7 @@ static const struct ycard _yclist[] = {
};
/* Search matrix for lookups */
static const struct ycard *_yc_search[Y_SPEC][Y_SPEC] = {0,};
static const struct ycard *_yc_search[Y_SPEC][Y_SPEC] = {{0,},{0,}};
/* Set to 1 if exists in search
* Some yang statements are not explicitly given cardinalities in RFC7950, although they are