rohc

Crash while decompressing RTP stream with large TS jump and UOR-2 disambiguation

Bug #1083294 reported by Didier Barvaux on 2012-11-26

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	rohc	Status tracked in Rohc-main
	1.3.x	Invalid	Undecided	Didier Barvaux	rohc 1.3.4
	1.4.x	Invalid	Undecided	Didier Barvaux	rohc 1.4.2
	Rohc-1.5.x	Fix Released	High	Didier Barvaux	rohc 1.5.1
	Rohc-main	Fix Released	High	Didier Barvaux	rohc 1.6.0

Bug Description

While testing the library on a lossy network, the attached stream crashed the decompressor (assert). The stream is one RTP stream with a random IP-ID (RND=1) and regular TS, then one RTP packet causes IP-ID to be non-random (RND=0) and a large TS jump.

One UOR-2-TS packet with extension 3 is chosen to transmit more than many TS bits. Because of the RND change, the decompressor tries to parse the UOR-2-TS packet as UOR-2-RTP. It parses 6 bits of TS from the packet (instead of 5 bits if UOR-2-TS was recognized) and 29 bits of TS in extension 3. The packet contains more than 32 bits of TS, so the MSB must be set to 0. It is not the case because UOR-2 disambiguation selected UOR-2-RTP because RND=1 in context.

Solution: Do not assert if superfluous bits are not set to 0 because it can just happen. Just emit a warning.

Tags:

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-11-26:

#1

PCAP capture of the RTP stream that causes the library to crash Edit (514 bytes, application/cap)

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-11-26:

#2

Fixed in main branch. See http://bazaar.launchpad.net/~didier-barvaux/rohc/main/revision/605

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-12-07:

#3

On 1.5.x branch:
$ ./test/non_regression/test_non_regression smallcid more-than-32-ts-bits-while-rnd-change.pcap
[...]
[d_generic.c:6363 parse_extension3()] 29 bits of TS found in EXT-3 = 0x1ffffffe
[ERROR] [d_generic.c:6363 parse_extension3()] too many bits for TS: 29 bits found in EXT-3, and 6 bits already found before for a 32-bit field

test_non_regression: d_generic.c:6363: parse_extension3: Assertion `((bits)->ts & _mask) == (bits)->ts' failed.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-12-07:

#4

Branch 1.4.x seems not to be affected by the problem.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-12-07:

#5

Branch 1.3.x seems not to be affected by the problem.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-12-07:

#6

Fixed on 1.5.x branch. See http://bazaar.launchpad.net/~didier-barvaux/rohc/1.5.x/revision/539

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-12-07:

#7

Branch 1.3.x is not affected.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

PCAP capture of the RTP stream that causes the library to crash Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.