rohc

Decompressor: crash caused by malformed (too short) IR and IR-DYN packets

Bug #1090069 reported by Didier Barvaux on 2012-12-13

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	rohc	Status tracked in Rohc-main
	1.3.x	Invalid	Undecided	Didier Barvaux	rohc 1.3.5
	1.4.x	Invalid	Undecided	Didier Barvaux	rohc 1.4.3
	Rohc-1.5.x	Fix Released	Critical	Didier Barvaux	rohc 1.5.2
	Rohc-main	Fix Released	Critical	Didier Barvaux	rohc 1.6.0

Bug Description

When parsing malformed IR and IR-DYN packets that are too short, the decompressor may crash because it does not properly check for the packet length before accessing data.

Tags:

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-12-13:

#1

Confirmed on main branch.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-12-13:

#2

Confirmed on branch 1.5.x.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-12-13:

#3

Fixed on main branch. See http://bazaar.launchpad.net/~didier-barvaux/rohc/main/revision/624

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-12-13:

#4

Fixed in 1.5.x branch. See http://bazaar.launchpad.net/~didier-barvaux/rohc/1.5.x/revision/547

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-12-13:

#5

Confirmed on 1.4.x branch.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-12-13:

#6

Fixed on 1.4.x branch. See http://bazaar.launchpad.net/~didier-barvaux/rohc/1.4.x/revision/358

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-12-13:

#7

Branch 1.3.x is not affected.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-12-13:

#8

In fact, branch 1.4.x was not affected. The rohc_ir_packet_crc_ok() function checks for minimal length.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2012-12-13:

#9

Additional length checks added for 1.5.x and main branches. See http://bazaar.launchpad.net/~didier-barvaux/rohc/1.5.x/revision/548 and http://bazaar.launchpad.net/~didier-barvaux/rohc/main/revision/625

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.