Crash when decompressing list types 1/2/3 if no reference list was already set
Bug #1115091 reported by
Didier Barvaux
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| rohc | Status tracked in Rohc-main | |||||
| 1.3.x |
Fix Released
|
Critical
|
Didier Barvaux | |||
| 1.4.x |
Fix Released
|
Critical
|
Didier Barvaux | |||
| Rohc-1.5.x |
Fix Released
|
Critical
|
Didier Barvaux | |||
| Rohc-main |
Fix Released
|
Critical
|
Didier Barvaux | |||
Bug Description
When (de)compressing list of IPv6 header extensions, a reference list is shared between the compressor and decompressor. The compression types 1, 2 and 3 require a reference list to be defined. If not, the library crashes. Such a situation might happen if some ROHC packets defining the reference list are lost or damaged.
Solution: use the list with the received gen_id as the reference list in case no reference list was set yet.
Revision history for this message
| Didier Barvaux (didier-barvaux) wrote | #1 |
| tags: | added: fuzzer |
| tags: | added: security |
Revision history for this message
| Didier Barvaux (didier-barvaux) wrote | #2 |
Revision history for this message
| Didier Barvaux (didier-barvaux) wrote | #3 |
Revision history for this message
| Didier Barvaux (didier-barvaux) wrote | #4 |
Revision history for this message
| Didier Barvaux (didier-barvaux) wrote | #5 |
To post a comment you must log in.
Anybody can cause a decompressor that accepts ROHC packets from unknown sources to crash.