Comment 1 for bug 1219419

that packet that crash decompressor

http://pastebin.com/PTWiYSqH

typedef struct __attribute__((packed)) ipv6_option_context
{
      uint8_t context_length;
      uint8_t option_length;

      uint8_t next_header;
      uint8_t length;

      uint8_t value[6];

} ipv6_option_context_t;

the problem that options length not checking in tcp_decode_dynamic_ipv6_option
proto = ROHC_IPPROTO_HOPOPTS

we got 2 memcpy with size=1750
memcpy(ip_context.v6_option->value, rohc_packet, size);
memcpy(base_header.ipv6_opt->value, ip_context.v6_option->value, size)

but ip_context.v6_option->value and base_header.ipv6_opt->value has only 6 bytes.