rohc

Decompression failure for IPv4 stream with empty payload

Bug #803648 reported by Didier Barvaux on 2011-06-29

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	rohc	Status tracked in Rohc-main
	1.2.x	Won't Fix	Medium	Didier Barvaux	rohc 1.2.3
	1.3.x	Won't Fix	Medium	Didier Barvaux	rohc 1.3.2
	Rohc-main	Fix Released	Medium	Didier Barvaux	rohc 1.4.0

Bug Description

The attached PCAP file fails to be compressed then decompressed. The file contains a stream of IPv4 packets with empty payload. One of the packets is compressed as a ROHC UO-0 packet on one single byte (Add-CID is omitted because it is 0). This packet fails to be decompressed because the decompressor expects at least 2 bytes for the ROHC packet.

The 2-byte assumption is not correct in all cases and shall be removed. However additional checks shall be added for ROHC packets that are expected to be larger.

Tags:

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2011-06-29:

#1

IPv4 stream with empty payload Edit (374 bytes, application/cap)

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2011-11-13:

#2

IPv4/UDP stream with empty payload Edit (430 bytes, application/cap)

Attach to the bug a capture with a IPv4/UDP stream with empty UDP payload. This new capture does not cause any bug in the library. It may be added to library tests to improve the code coverage.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2011-11-13:

#3

On trunk, add new robustness tests:
- A stream of IPv4 packets with empty payloads to be compressed with the
IP-only profile. This test fails at the moment.
- A stream of IPv4/UDP packets with empty payloads to be compressed with the
UDP profile. This test succeeds.

See http://bazaar.launchpad.net/~didier-barvaux/rohc/main/revision/265

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2011-11-13:

#4

Confirmed on the 1.3.x branch.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2011-11-13:

#5

Confirmed on the 1.2.x branch.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2011-11-13:

#6

Change importance on trunk from 'High' to 'Medium'. This is a bug but it does not cause any problem except dropping the packet.

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2011-11-13:

#7

On the 1.3.x branch:
    While compressing a stream of IPv4 packets with empty payloads, the
    compressor may create UO-0 packets of 1 byte. These 1-byte UO-0 packets fail
    to be decoded by the decompressor. The decompressor expects at least 2 bytes
    of ROHC data. That check may be removed but it would leave the rest of code
    unprotected. In order to protect the rest of the code, the offset to the
    remaining of base header (called second byte in the code) must be given to
    several internal functions. This is too much work for the 1.3.x branches.
    The problem will be fixed in the trunk for the 1.4.0 release.

See http://bazaar.launchpad.net/~didier-barvaux/rohc/1.3.x/revision/163

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2011-11-13:

#8

On the 1.2.x branch:

While compressing a stream of IPv4 packets with empty payloads, the
compressor may create UO-0 packets of 1 byte. These 1-byte UO-0 packets fail
to be decoded by the decompressor. The decompressor expects at least 2 bytes
of ROHC data. That check may be removed but it would leave the rest of code
unprotected. In order to protect the rest of the code, the offset to the
remaining of base header (called second byte in the code) must be given to
several internal functions. This is too much work for the 1.2.x branches.
The problem will be fixed in the trunk for the 1.4.0 release.

See http://bazaar.launchpad.net/~didier-barvaux/rohc/1.2.x/revision/137

Revision history for this message

Didier Barvaux (didier-barvaux) wrote on 2011-11-13:

#9

Fix committed on the trunk:
- remove the overzelous check for at least 2 bytes of ROHC data,
- add several length checks in internal functions when applicable to avoid security/robustness problems.

See http://bazaar.launchpad.net/~didier-barvaux/rohc/main/revision/266

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.