Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sigfault after call to ly_realloc() using libyang (v1.0.167) #1116

Closed
robbynet opened this issue Jun 20, 2020 · 1 comment
Closed

sigfault after call to ly_realloc() using libyang (v1.0.167) #1116

robbynet opened this issue Jun 20, 2020 · 1 comment

Comments

@robbynet
Copy link

robbynet commented Jun 20, 2020
edited
Loading

When I send the following RPC XML via netopeer2-cli using the following command:
user-rpc --content /opt/dev/xml/software-download.xml
with "cat /opt/dev/xml/software-download.xml"

<software-download xmlns="urn:o-ran:software-management:1.0">
<remote-file-path>/toto/tutu</remote-file-path>
</software-download>

libyang segfaults with the following stack printed with gdb :
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7f160f4a2700 (LWP 2070))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f16125b48db in __GI_abort () at abort.c:100
#2 0x00007f16125fd897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f161272ab9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007f161260490a in malloc_printerr (str=str@entry=0x7f1612728ed3 "realloc(): invalid next size") at malloc.c:5350
#4 0x00007f16126099b4 in _int_realloc (av=av@entry=0x7f1608000020, oldp=oldp@entry=0x7f1608000ec0, oldsize=oldsize@entry=32, nb=nb@entry=32) at malloc.c:4534
#5 0x00007f161260cf9b in _GI___libc_realloc (oldmem=0x7f1608000ed0, bytes=5) at malloc.c:3230
#6 0x00007f1612e01545 in ly_realloc (ptr=0x7f1608000ed0, size=5) at /opt/dev/libyang/src/common.c:1316
#7 0x00007f1612eb871f in ly_write (out=0x7f160f4a1b70, buf=0x7f160f4a1a43 "", count=1) at /opt/dev/libyang/src/printer.c:175
#8 0x00007f1612efcfe3 in lyb_print_header (out=0x7f160f4a1b70) at /opt/dev/libyang/src/printer_lyb.c:643
#9 0x00007f1612efe07e in lyb_print_data (out=0x7f160f4a1b70, root=0x7f1608001060, options=0) at /opt/dev/libyang/src/printer_lyb.c:1089
#10 0x00007f1612eba026 in lyd_print (out=0x7f160f4a1b70, root=0x7f1608001060, format=LYD_LYB, options=0) at /opt/dev/libyang/src/printer.c:713
#11 0x00007f1612eba32e in lyd_print_mem (strp=0x7f160f4a1c00, root=0x7f1608001060, format=LYD_LYB, options=0) at /opt/dev/libyang/src/printer.c:802
#12 0x00007f1612bcd75a in sr_shmsub_rpc_listen_process_rpc_events (rpc_subs=0x55ab1a332f60, conn=0x55ab1a305340) at /opt/dev/sysrepo/src/shm_sub.c:2877
#13 0x00007f1612b913b6 in sr_process_events (subscription=0x55ab1a32dc90, session=0x0, stop_time_in=0x7f160f4a1e20) at /opt/dev/sysrepo/src/sysrepo.c:3037
#14 0x00007f1612bce3c6 in sr_shmsub_listen_thread (arg=0x55ab1a32dc90) at /opt/dev/sysrepo/src/shm_sub.c:3202
#15 0x00007f161296c6db in start_thread (arg=0x7f160f4a2700) at pthread_create.c:463
#16 0x00007f161269588f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb)

Yang is the following:
rpc software-download {
description
"Rpc needed to perform software download operation.";

input {
  leaf remote-file-path {
    type inet:uri;
    mandatory true;
    description
      "URI of the software image including username.
      The following format is possible:
      sftp://<username>@<host>[:<port>]/path";
  }

  choice credentials {
    description
      "Type of authentication to use for software downloads.";

    case password {
      container password {
        presence true;
        leaf password {
          type string;
          mandatory true;

          description
            "password needed for authentication.";
        }

        description
          "password authentication method in use";
      }
    }
    case certificate {
      container certificate {
        presence true;
        description
          "certificate authentication method in use";
      }
    }
  }
}
output {
  leaf status {
    type enumeration {
      enum STARTED {
        description
          "Operation has been started without error.";
      }
      enum FAILED {
        description
          "Operation cannot be started because of error, more detailed information can be found in error-message.";
      }
    }
    default "STARTED";

    description
      "Status of the software files download";
  }
  leaf error-message {
    when "../status = 'FAILED'";
    type string;

    description
      "Detailed error Message when the status is failed.";
  }

  leaf notification-timeout {
    type int32;
    units seconds;
    default 30;

    description
      "Notification timeout is the time NETCONF client shall
      wait for a 'download-event' notification from O-RU. If there is no
      'download-event' notification received within notification-timeout,
      NETCONF client shall assume the download timeout/failure, and follow necessary steps.";
  }
}

}

Implementation relies on output default values of the yang model, so no need to implement output.
Nonetheless implementation mention explicitly that the application return zero output to sysrepo ( *output_cnt = 0; )
Implementation is the following :
int orusw_rpc_download_cb(sr_session_ctx_t *session, const char *path, const sr_val_t *input, const size_t input_cnt,
sr_event_t event, uint32_t request_id, sr_val_t **output, size_t *output_cnt, void *private_data)
{
size_t i;
int err;
pthread_t tid;
(void)session;
(void)event;
(void)request_id;
(void)private_data;

printf("\n\n ========== RPC \"%s\" RECEIVED: =======================\n\n", path);
for (i = 0; i < input_cnt; ++i) {
    print_val(&input[i]);
            if (strcmp(remote_file_path, input[i].xpath) ==0)
            {
            printf("%s : %s taken into account\n", input[i].xpath, input[i].data.string_val);
                    strcpy(input[i].data.string_val, remote_file_path);
            }
            if (strcmp(download_password_path, input[i].xpath) ==0)
            {
            printf("%s : %s taken into account\n", input[i].xpath, input[i].data.string_val);
                    strcpy(input[i].data.string_val, download_password_path);
            }
			
*output = malloc(sizeof (**output));
    *output_cnt = 0;

}

return SR_ERR_OK;

}

Printf output of the application :
========== RPC "/o-ran-software-management:software-download" RECEIVED: =======================

/o-ran-software-management:software-download/remote-file-path = /toto/tutu
/o-ran-software-management:software-download/remote-file-path : /toto/tutu taken into account
realloc(): invalid next size
Aborted (core dumped)
@robbynet
Copy link
Author

Root cause of the issue identified : bad implementation of strcmp : strcpy(input[i].data.string_val, remote_file_path);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@robbynet