when processing the default metadata attribute. After freeing the meta2 node (the default attribute), the code uses *meta which may still point to the freed memory.
/* delete the metadata */
if (meta != &node->meta) {
*meta = (*meta)->next; // ⚠️ PROBLEM: *meta may point to freed meta2
}
Root Cause
meta points to the previous node (e.g., operation attribute)meta2 points to the current node (default attribute)- when
node->meta is null,*meta points to meta2
in function lydxml_subtree_r(struct lyd_xml_ctx *lydctx, struct lyd_node *parent, struct lyd_node **first_p, struct ly_set *parsed), the line lyd_insert_meta(node, meta, 0); tries to access the already freed meta
when processing the default metadata attribute. After freeing the meta2 node (the default attribute), the code uses *meta which may still point to the freed memory.
/* delete the metadata */⚠️ PROBLEM: *meta may point to freed meta2
if (meta != &node->meta) {
*meta = (*meta)->next; //
}
Root Cause
metapoints to the previous node (e.g., operation attribute)meta2points to the current node (default attribute)node->metais null,*metapoints tometa2in function lydxml_subtree_r(struct lyd_xml_ctx *lydctx, struct lyd_node *parent, struct lyd_node **first_p, struct ly_set *parsed), the line
lyd_insert_meta(node, meta, 0);tries to access the already freed meta