TCP profile: fuzzer makes the decompressor crash
Bug #1219419 reported by
Didier Barvaux
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
rohc | Status tracked in Rohc-main | |||||
Rohc-1.7.x |
Won't Fix
|
Medium
|
Didier Barvaux | |||
Rohc-main |
Fix Released
|
Medium
|
Didier Barvaux |
Bug Description
The TCP profile is not robust enough, the decompression fuzzer (./app/
For example: ./app/fuzzer/
To post a comment you must log in.
that packet that crash decompressor
http:// pastebin. com/PTWiYSqH
typedef struct __attribute_ _((packed) ) ipv6_option_context
{
uint8_t context_length;
uint8_t option_length;
uint8_t next_header;
uint8_t length;
uint8_t value[6];
} ipv6_option_ context_ t;
the problem that options length not checking in tcp_decode_ dynamic_ ipv6_option HOPOPTS
proto = ROHC_IPPROTO_
we got 2 memcpy with size=1750 ip_context. v6_option- >value, rohc_packet, size); base_header. ipv6_opt- >value, ip_context. v6_option- >value, size)
memcpy(
memcpy(
but ip_context. v6_option- >value and base_header. ipv6_opt- >value has only 6 bytes.