Double free when using libxml2 as regex engine

[shmuelhazan]

Steps to reproduce

• Set regex engine to libxml2
• Use the attached main.yang
• Run set ips addresses 192.168.0.0

Expected results:

• command succeed

Actual results:

• double free (crash):

free(): double free detected in tcache 2
Aborted (core dumped)

main module for example:

module clixon-core {
	prefix "core";
	yang-version 1.1;
	description
	"core functionality of datastore.";
    
	/* yang model example. */
	grouping ip {
		description "ip";
		leaf addr{
			type string {
			      pattern '^(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|'        +
              '25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4]'  +
              '[0-9]|25[0-5])$';
			}
		}
	}
	
	/* yang container example. */
	container ips {
		config true;
		description "ip";
		list addresses {
			uses ip;
			key "addr";
			description "list of ips";
		}
	}
}

[shmuelhazan]

NOTE: it is possible that this is an issue on libxml2 and not on clixon.

[olofhagsand]

Yes I can confirm. here is valgrind stacktrace.

==27620== Command: clixon_cli -f /var/tmp/./test_pattern.sh/pattern.xml -1 set c rfc2 AB
==27620== 
==27620== Invalid free() / delete / delete[] / realloc()
==27620==    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27620==    by 0x506630C: match_regexp (cligen_regex.c:308)
==27620==    by 0x505C21D: cv_validate (cligen_cv.c:3260)
==27620==    by 0x505CE45: match_variable (cligen_match.c:104)
==27620==    by 0x505CFBB: match_object (cligen_match.c:159)
==27620==    by 0x505D940: match_vec (cligen_match.c:509)
==27620==    by 0x505DC04: match_pattern_terminal (cligen_match.c:612)
==27620==    by 0x505E066: match_pattern_node (cligen_match.c:763)
==27620==    by 0x505E0B9: match_pattern_node (cligen_match.c:771)
==27620==    by 0x505E0B9: match_pattern_node (cligen_match.c:771)
==27620==    by 0x505E2BB: match_pattern (cligen_match.c:857)
==27620==    by 0x505E397: match_pattern_exact (cligen_match.c:907)
==27620==  Address 0x9ce1b20 is 0 bytes inside a block of size 104 free'd
==27620==    at 0x4C30D3B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27620==    by 0x5066115: cligen_regex_libxml2_free (cligen_regex.c:208)
==27620==    by 0x506621C: cligen_regex_free (cligen_regex.c:266)
==27620==    by 0x5066300: match_regexp (cligen_regex.c:307)
==27620==    by 0x505C21D: cv_validate (cligen_cv.c:3260)
==27620==    by 0x505CE45: match_variable (cligen_match.c:104)
==27620==    by 0x505CFBB: match_object (cligen_match.c:159)
==27620==    by 0x505D940: match_vec (cligen_match.c:509)
==27620==    by 0x505DC04: match_pattern_terminal (cligen_match.c:612)
==27620==    by 0x505E066: match_pattern_node (cligen_match.c:763)
==27620==    by 0x505E0B9: match_pattern_node (cligen_match.c:771)
==27620==    by 0x505E0B9: match_pattern_node (cligen_match.c:771)
==27620==  Block was alloc'd at
==27620==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27620==    by 0x5BE97EE: ??? (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.4)
==27620==    by 0x5BEA1E1: xmlRegexpCompile (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.4)
==27620==    by 0x5066081: cligen_regex_libxml2_compile (cligen_regex.c:164)
==27620==    by 0x5066172: cligen_regex_compile (cligen_regex.c:231)
==27620==    by 0x506628B: match_regexp (cligen_regex.c:294)
==27620==    by 0x505C21D: cv_validate (cligen_cv.c:3260)
==27620==    by 0x505CE45: match_variable (cligen_match.c:104)
==27620==    by 0x505CFBB: match_object (cligen_match.c:159)
==27620==    by 0x505D940: match_vec (cligen_match.c:509)
==27620==    by 0x505DC04: match_pattern_terminal (cligen_match.c:612)
==27620==    by 0x505E066: match_pattern_node (cligen_match.c:763)
==27620== 

[olofhagsand]

@shmuelhazan thanks for reporting, please verify fix.