rohc

TCP profile: fuzzer makes the decompressor crash

Bug #1219419 reported by Didier Barvaux
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
rohc
Status tracked in Rohc-main
Rohc-1.7.x
Won't Fix
Medium
Didier Barvaux
rohc 1.7.1
Rohc-main
Fix Released
Medium
Didier Barvaux
rohc 2.0.0

Bug Description

The TCP profile is not robust enough, the decompression fuzzer (./app/fuzzer/rohc_fuzzer) makes crash or assert the TCP decompression profile.

For example: ./app/fuzzer/rohc_fuzzer replay 1378031898

Revision history for this message
Vadim Melikhov (uprsnab) wrote :

that packet that crash decompressor

http://pastebin.com/PTWiYSqH

typedef struct __attribute__((packed)) ipv6_option_context
{
      uint8_t context_length;
      uint8_t option_length;

      uint8_t next_header;
      uint8_t length;

      uint8_t value[6];

} ipv6_option_context_t;

the problem that options length not checking in tcp_decode_dynamic_ipv6_option
proto = ROHC_IPPROTO_HOPOPTS

we got 2 memcpy with size=1750
memcpy(ip_context.v6_option->value, rohc_packet, size);
memcpy(base_header.ipv6_opt->value, ip_context.v6_option->value, size)

but ip_context.v6_option->value and base_header.ipv6_opt->value has only 6 bytes.

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Thank you for isolating the faulty ROHC packet!

I reproduced and fixed the problem during last weekend (same analysis as you) but I didn't extracted the packet to create a simple and quick non-regression test (the fuzzing tool is slow!).

I didn't pushed the fix to the public repository yet. I need to clean up things before doing so. I'll do it next weekend.

Revision history for this message
Vadim Melikhov (uprsnab) wrote :

Dider, thank you for great job.

This script may be useful to you.
http://pastebin.com/We7A6XZ9

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

I added the faulty packet as a new robustness/malformed test. Thanks again for isolating it.

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

The fuzzing test fails again. A buffer overflow. I reworked the packet parsing of the TCP profile to be able to check for the size of the output buffer before writing in it. Not an easy task. It took me the whole day. Non-regression tests are green again. I restarted the fuzzing session.

Revision history for this message
Vadim Melikhov (uprsnab) wrote :

I made a little collection with backtrace & packets.
http://tech-papa.com/rohc/

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

The fuzzing test failed several times more, but it finally passes without any error. I have to cleanup all the modified a little bit before pushing it to the public repository, but it works.

Thank you for the collection of crashing packets. I'm going to test them.

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

I tested your crashing packets. Some of them do not crash the ROHC library alone (previous packets are probably needed to create an appropriate context). The other packets crash the library before the last fixes. None of them crashes the library with the last fixes. Great!

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Fixed in bf8c0d1. See https://github.com/didier-barvaux/rohc/commit/bf8c0d13f6acbcf787a11d894ead8b7b87a975e0

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.