Possible decompressor crash with malformed extension header list
Bug #1093846 reported by
Didier Barvaux
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| rohc | Status tracked in Rohc-main | |||||
| 1.3.x |
Won't Fix
|
Critical
|
Unassigned | |||
| 1.4.x |
Fix Released
|
Critical
|
Didier Barvaux | |||
| Rohc-1.5.x |
Fix Released
|
Critical
|
Didier Barvaux | |||
| Rohc-main |
Fix Released
|
Critical
|
Didier Barvaux | |||
Bug Description
The ROHC decompressor does not check correctly the length of the ROHC packet before parsing the item part of the extension header list. If the item is malformed, the ROHC decompressor may read too many bytes and parses data that was not part of the ROHC packet. Depending on those bytes, it might fail softly or crash.
It might have security implications if someone is able to send malformed ROHC packets to a ROHC decompressor.
Solution: always check the ROHC packet length before reading items of extension header lists.
Please find attached one IR packet with a malformed extension list of type 0.
Revision history for this message
| Didier Barvaux (didier-barvaux) wrote | #2 |
Revision history for this message
| Didier Barvaux (didier-barvaux) wrote | #3 |
Revision history for this message
| Didier Barvaux (didier-barvaux) wrote | #4 |
Revision history for this message
| Didier Barvaux (didier-barvaux) wrote | #5 |
To post a comment you must log in.
Fixed on main branch. See http://