parser yang BUGFIX parsing revisions longer than LY_REV_SIZE
Change date_len argument type to size_t in lysp_check_date,
instead of uint8_t.
This bug was found by OSS-Fuzz in lys_parse_mem.
The issue would appear when a revision longer than LY_REV_SIZE was
in the input model. get_argument() would parse the string and return
a length that is significantly bigger than LY_REV_SIZE.
The word_len was then cast into a uint8_t, and since word_len is a
size_t an overflow would occur, where only the first 10 characters of
the string would be read, resulting in the date appearing as valid in
lysp_check_date(). The strncpy() into rev->date would then result in an
overflow, as word_len bytes are copied.
Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>
diff --git a/src/tree_schema_helpers.c b/src/tree_schema_helpers.c
index 64f8945..b402ce3 100644
--- a/src/tree_schema_helpers.c
+++ b/src/tree_schema_helpers.c
@@ -58,7 +58,7 @@
}
LY_ERR
-lysp_check_date(struct lys_parser_ctx *ctx, const char *date, uint8_t date_len, const char *stmt)
+lysp_check_date(struct lys_parser_ctx *ctx, const char *date, size_t date_len, const char *stmt)
{
struct tm tm, tm_;
char *r;