Comment 5 for bug 1439727

Thank you for the hint on that bug! The feedback parsing lacks a check for the remaining length of the buffer provided by the library user. Please try the patch hereafter on the ROHC library and tell me if the problem is solved or not.

The problem is located in the library, so you have to patch it, re-build it, then re-install it on both IP/ROHC nodes (client and server). If you built the IP/ROHC client or server binaries statically with the ROHC library, then you have to re-build then re-install the IP/ROHC binaries on both IP/ROHC nodes.

Jozsef, as the first reporter of the problem, please tell me if the patch solves your problem too.

=== modified file 'src/decomp/rohc_decomp.c'
--- src/decomp/rohc_decomp.c 2014-06-21 10:59:41 +0000
+++ src/decomp/rohc_decomp.c 2015-04-12 16:11:18 +0000
@@ -4018,7 +4018,18 @@ static bool rohc_decomp_parse_feedback(s
  /* copy the feedback item in order to return it user if he/she asked for */
  if(feedback != NULL)
  {
- rohc_buf_append(feedback, rohc_buf_data(*rohc_data), feedback_len);
+ if((feedback->len + feedback_len) > rohc_buf_avail_len(*feedback))
+ {
+ rohc_warning(decomp, ROHC_TRACE_DECOMP, ROHC_PROFILE_GENERAL,
+ "failed to store %zu-byte feedback into the %zu-byte "
+ "buffer given by the user because it already contains "
+ "%zu bytes of feedback: ignore feedback", feedback_len,
+ rohc_buf_avail_len(*feedback), feedback->len);
+ }
+ else
+ {
+ rohc_buf_append(feedback, rohc_buf_data(*rohc_data), feedback_len);
+ }
  }

  /* skip the feedback item in the ROHC packet */