rohc

iprohc assertion failure

Bug #1439727 reported by formater2007
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
rohc
Status tracked in Rohc-main
Rohc-1.7.x
Fix Committed
High
Didier Barvaux
rohc 1.7.1
Rohc-main
Fix Released
High
Didier Barvaux
rohc 2.0.0

Bug Description

Hi,
 We are using iprohc 0.7.1 with rohc-1.7.0, with debian 7.8, kernel 3.2.0-4-amd64. Packages were downloaded as source packages, and build on servers.

 Configured iprohc tunel between two servers, ping works correctly on both direction, but when we try to put some simulated SIP traffic on the tunnel, with 1-2 minutes either iprohc_client or iprohc_server stops, with following assertion error:

iprohc_server: rohc_buf.c:186: rohc_buf_append: Assertion `(buf->len + len) <= rohc_buf_avail_len(*buf)' failed.

or

iprohc_client: rohc_buf.c:186: rohc_buf_append: Assertion `(buf->len + len) <= rohc_buf_avail_len(*buf)' failed.

Reproduced with simulated SIP traffic many times today.

What other information should I provide? I'm ready to help!
Thanks in advance,
 Joseph

See original description
Revision history for this message
formater2007 (jozsef-dudas) wrote :

Hi,
 I'm not sure, if it's iprohc related, or rohc library related, because the assertion happens in rohc library...

formater2007 (jozsef-dudas)
summary: - iprohc assertation failure
+ iprohc assertion failure
description: updated
Didier Barvaux (didier-barvaux)
Changed in rohc:
assignee: nobody → Didier Barvaux (didier-barvaux)
status: New → In Progress
tags: added: iprohc
tags: added: rtp sip
Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Hi,

Not sure if it is IP/ROHC tunnel or ROHC library related. There is an easy way to test: please provide me a network capture of the VoIP traffic that makes the server or client asserts. You may use tcpdump to perform it. Don't forget to specify the -s0 option to capture the full packets.

You may attach the capture to this ticket. Be aware however that the capture file will be public and that it could leak some of your private data. If don't want to, send the file to me in private by email. If too big for an email, upload it somewhere then send the link to me in private by email.

Regards,
Didier

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

I'll try to reproduce the same problem with the library directly. If it fails, then the library is faulty. Otherwise the problem is probably located in the IP/ROHC code. If so, I'll ask you for a coredump of the server/client that asserts (along with the binary and libraries with symbols included).

Revision history for this message
Mohammad Abyan Abdullah (c-admin-v) wrote :
Download full text (3.5 KiB)

Hi!!
  I've also faced that problem today. What I see that feedback buffer is set 100. If feedback is getting larger then 100 then at last packet which is in boundary or the buffer at that time we found assertion failure. It doesn't happen often so its tough to reproduce the problem each time. I've tried with feedback buffer 500 too. But whenever any of the feedback item on the boundary of the buffer the we are getting assertion failure. Here is a log that I got few days ago.

[rohc_decomp.c:1359 rohc_decompress3()] decompress the 147-byte packet #8492
 [rohc_decomp.c:3895 rohc_decomp_parse_padding()] skip 0 byte(s) of padding
 [rohc_decomp.c:3928 rohc_decomp_parse_feedbacks()] parse feedback item #1 at offset 0 in ROHC packet
 [rohc_decomp.c:3990 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
 [rohc_decomp.c:3928 rohc_decomp_parse_feedbacks()] parse feedback item #2 at offset 8 in ROHC packet
 [rohc_decomp.c:3990 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
 [rohc_decomp.c:3928 rohc_decomp_parse_feedbacks()] parse feedback item #3 at offset 16 in ROHC packet
 [rohc_decomp.c:3990 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
 [rohc_decomp.c:3928 rohc_decomp_parse_feedbacks()] parse feedback item #4 at offset 24 in ROHC packet
 [rohc_decomp.c:3990 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
 [rohc_decomp.c:3928 rohc_decomp_parse_feedbacks()] parse feedback item #5 at offset 32 in ROHC packet
 [rohc_decomp.c:3990 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 6 bytes)
 [rohc_decomp.c:3928 rohc_decomp_parse_feedbacks()] parse feedback item #6 at offset 39 in ROHC packet
 [rohc_decomp.c:3990 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
 [rohc_decomp.c:3928 rohc_decomp_parse_feedbacks()] parse feedback item #7 at offset 47 in ROHC packet
 [rohc_decomp.c:3990 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 6 bytes)
 [rohc_decomp.c:3928 rohc_decomp_parse_feedbacks()] parse feedback item #8 at offset 54 in ROHC packet
 [rohc_decomp.c:3990 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
 [rohc_decomp.c:3928 rohc_decomp_parse_feedbacks()] parse feedback item #9 at offset 62 in ROHC packet
 [rohc_decomp.c:3990 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
 [rohc_decomp.c:3928 rohc_decomp_parse_feedbacks()] parse feedback item #10 at offset 70 in ROHC packet
 [rohc_decomp.c:3990 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
 [rohc_decomp.c:3928 rohc_decomp_parse_feedbacks()] parse feedback item #11 at offset 78 in ROHC packet
 [rohc_decomp.c:3990 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 6 bytes)
 [rohc_decomp.c:3928 rohc_decomp_parse_feedbacks()] parse feedback item #12 at offset 85 in ROHC packet
 [rohc_decomp.c:3990 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 6 bytes)
 [rohc_decomp.c:3928 rohc_decomp_parse_feedbacks()] parse feedback item #13 at offset 92 in ROHC packet
 [rohc_decom...

Read more...

Didier Barvaux (didier-barvaux)
tags: added: feedback library
removed: iprohc rtp sip
Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Thank you for the hint on that bug! The feedback parsing lacks a check for the remaining length of the buffer provided by the library user. Please try the patch hereafter on the ROHC library and tell me if the problem is solved or not.

The problem is located in the library, so you have to patch it, re-build it, then re-install it on both IP/ROHC nodes (client and server). If you built the IP/ROHC client or server binaries statically with the ROHC library, then you have to re-build then re-install the IP/ROHC binaries on both IP/ROHC nodes.

Jozsef, as the first reporter of the problem, please tell me if the patch solves your problem too.

=== modified file 'src/decomp/rohc_decomp.c'
--- src/decomp/rohc_decomp.c 2014-06-21 10:59:41 +0000
+++ src/decomp/rohc_decomp.c 2015-04-12 16:11:18 +0000
@@ -4018,7 +4018,18 @@ static bool rohc_decomp_parse_feedback(s
  /* copy the feedback item in order to return it user if he/she asked for */
  if(feedback != NULL)
  {
- rohc_buf_append(feedback, rohc_buf_data(*rohc_data), feedback_len);
+ if((feedback->len + feedback_len) > rohc_buf_avail_len(*feedback))
+ {
+ rohc_warning(decomp, ROHC_TRACE_DECOMP, ROHC_PROFILE_GENERAL,
+ "failed to store %zu-byte feedback into the %zu-byte "
+ "buffer given by the user because it already contains "
+ "%zu bytes of feedback: ignore feedback", feedback_len,
+ rohc_buf_avail_len(*feedback), feedback->len);
+ }
+ else
+ {
+ rohc_buf_append(feedback, rohc_buf_data(*rohc_data), feedback_len);
+ }
  }

  /* skip the feedback item in the ROHC packet */

Revision history for this message
Mohammad Abyan Abdullah (c-admin-v) wrote :
Download full text (3.5 KiB)

Hi!!
  I think it solved the problem. Here is the log.

[rohc_decomp.c:1370 rohc_decompress3()] decompress the 150-byte packet #14810
[rohc_decomp.c:3911 rohc_decomp_parse_padding()] skip 0 byte(s) of padding
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #1 at offset 0 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #2 at offset 8 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #3 at offset 16 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #4 at offset 24 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #5 at offset 32 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #6 at offset 40 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #7 at offset 48 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #8 at offset 56 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 6 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #9 at offset 63 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #10 at offset 71 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #11 at offset 79 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #12 at offset 87 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #13 at offset 95 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:4044 rohc_decomp_parse_feedback()] failed to store 8-byte feedback into the 5-byte buffer given by the user because it already contains 0 bytes of feedback: ignore feedback
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #14 at offset 95 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header...

Read more...

Revision history for this message
Mohammad Abyan Abdullah (c-admin-v) wrote :
Download full text (22.8 KiB)

Hi!!
  Another thing I noticed is after 96 offset all feedbacks are ignored here. Here is another log.

[rohc_decomp.c:1370 rohc_decompress3()] decompress the 534-byte packet #16194
[rohc_decomp.c:3911 rohc_decomp_parse_padding()] skip 0 byte(s) of padding
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #1 at offset 0 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #2 at offset 8 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #3 at offset 16 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #4 at offset 24 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #5 at offset 32 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #6 at offset 40 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #7 at offset 48 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #8 at offset 56 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #9 at offset 64 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #10 at offset 72 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #11 at offset 80 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #12 at offset 88 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #13 at offset 96 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #11 at offset 80 in ROHC packet
[rohc_decomp.c:4006 rohc_decomp_parse_feedback()] feedback found (header = 1 bytes, data = 7 bytes)
[rohc_decomp.c:3944 rohc_decomp_parse_feedbacks()] parse feedback item #12 at offset 88 in ROHC packet
[rohc_dec...

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Thank you for the feedback!

> Another thing I noticed is after 96 offset all feedbacks are ignored here.

The limit is not 6 bytes strictly speaking. All feedback messages are parsed, but only the ones that can completely fit into the buffer are stored. In your case, the buffer is 100-byte long and the feedback messages are 8-byte long, so only 12 messages are stored. If one of the last feedback messages was 4-byte long, that message would have been stored into the user buffer.

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Jozsef, as the first reporter of the problem, please tell me if the patch solves your problem too.

Revision history for this message
formater2007 (jozsef-dudas) wrote :

Thanks Didier, patch did solve the issue!

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Thank you for the confirmation Jozsef.

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Commit 74f691ef on master.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.