rohc

Assert while decompression on TCP profile

Bug #1400690 reported by Vadim Melikhov on 2014-12-09

10

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	rohc	Status tracked in Rohc-main
	Rohc-1.7.x	Won't Fix	Medium	Didier Barvaux	rohc 1.7.1
	Rohc-main	Fix Released	Medium	Didier Barvaux	rohc 2.0.0

Bug Description

I try to code test program using librohc
ver: main branch
Tunnel between 2 linux (64 bit)
run only one TCP session (SSH) with cmatrix (just for create traffic)
Mode: ROHC_U_MODE

Got assert after ~1hour of work. (~1Gb traffic)

[rfc4996.c:426 d_ip_id_lsb()] behavior = 0, k = 4, p = 3, context_ip_id =
0xbb43, value = 0x0003, msn = 0x98e2
[rfc4996.c:381 d_c_lsb()] num_lsb = 4, offset_param = 3, context_value =
0x2261, original_value = 0x2262
[rfc4996.c:391 d_c_lsb()] 0x225e < value (0x2262) < 0x226d => return 0x2
[rfc4996.c:437 d_ip_id_lsb()] new ip_id = 0xbb44, ip_id_offset = 0x0002,
value = 0x0003
tandemx: rfc4996.c:438: d_ip_id_lsb: Assertion `ip_id_offset == value'
failed.
Aborted (core dumped)

More logs: http://pastebin.com/ithEg84C
If need, I can give more logs (30Mb)

Tags:

Didier Barvaux (didier-barvaux) on 2014-12-10

tags:

added: library tcp

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2014-12-10:

#1

I hit the very same bug last weekend by running the fuzzer as follow:
$ ./app/fuzzer/rohc_fuzzer replay 1417374848
(the fix for bug #1219419 is required to hit this one).

The problem is due to IP-ID encoding in the TCP profile. Both the compressor and decompressors do not implement this encoding scheme correctly. I fixed the decompressor part during last weekend, but the compressor part is required to fully fix the problem with seq_X packets. I'll resume my work on this problem next weekend.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2014-12-13:

#2

I fixed the compressor part. All non-regression tests run fine with Asan and Valgrind. I restarted the fuzzing test to see if it passes with the fix. Stay tuned.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2014-12-14:

#3

The fuzzing test fails again. A buffer overflow. I reworked the packet parsing of the TCP profile to be able to check for the size of the output buffer before writing in it. Not an easy task. It took me the whole day. Non-regression tests are green again. I restarted the fuzzing session.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2014-12-22:

#4

The fuzzing test failed several times more, but it finally passes without any error. I have to cleanup all the modified a little bit before pushing it to the public repository, but it works.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2015-01-01:

#5

Fixed in bf8c0d1. See https://github.com/didier-barvaux/rohc/commit/bf8c0d13f6acbcf787a11d894ead8b7b87a975e0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.