rohc

Compression/decompression failure with large IPv6 extension

Bug #565470 reported by Didier Barvaux
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rohc
Status tracked in Rohc-main
1.3.x
Fix Released
High
Didier Barvaux
rohc 1.3.1
Rohc-main
Fix Released
High
Didier Barvaux
rohc 1.4.0

Bug Description

The ROHC library fails to correctly compress and decompress an IPv6 packet with a large IPv6 extension (2048 bytes). The library does not report any error either during compression or during decompression. However, the generated ROHC packet is 4150-byte long and the generated IP packet is 4144-byte long while the original IPv6 packet is only 2096-byte long.

The problem may be reproduced with the non-regression tool and the attached PCAP capture. The output of the command below is attached to the bug too.
   $ ./test/test smallcid ipv6_with_large_extension.pcap

The PCAP capture was generated with Scapy (http://www.secdev.org/projects/scapy/) with the following Python commands:
  >>> pad = ''
  >>> for i in range(0, 255):
  ... pad += '\x00'
  ...
  >>> packet = Ether() / IPv6() / \
  ... IPv6ExtHdrHopByHop(options = [ \
  ... PadN(otype='PadN', optlen=255, optdata=pad), \
  ... PadN(otype='PadN', optlen=255, optdata=pad), \
  ... PadN(otype='PadN', optlen=255, optdata=pad), \
  ... PadN(otype='PadN', optlen=255, optdata=pad), \
  ... PadN(otype='PadN', optlen=255, optdata=pad), \
  ... PadN(otype='PadN', optlen=255, optdata=pad), \
  ... PadN(otype='PadN', optlen=255, optdata=pad), \
  ... PadN(otype='PadN', optlen=245, optdata=pad[0:245]) \
  ... ] ) / \
  ... ICMPv6EchoRequest()
  >>> wrpcap("ipv6_with_large_extension.pcap", packet)

Tags: library
Revision history for this message
Didier Barvaux (didier-barvaux) wrote :
Revision history for this message
Didier Barvaux (didier-barvaux) wrote :
Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Confirmed for 1.3.x.

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Confirmed for trunk.

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Branch 1.2.x is not affected by the bug.

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Fix committed in branch 1.3.x. See http://bazaar.launchpad.net/~didier-barvaux/rohc/1.3.x/revision/140 and http://bazaar.launchpad.net/~didier-barvaux/rohc/1.3.x/revision/141.

Explanation of the bug: functions ip_get_extension_size() and ip_get_total_extension_size() got uint8_t as return type but it is possible that one IPv6 extension for the former or several IPv6 extensions for the later are larger than 255 bytes. 'unsigned short' should be used instead of 'uint8_t'.

The commits fix the bug but also add a new non-regression test based on the capture attached to this bug entry.

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Fix committed in trunk. See http://bazaar.launchpad.net/~didier-barvaux/rohc/main/revision/153, http://bazaar.launchpad.net/~didier-barvaux/rohc/main/revision/154 and http://bazaar.launchpad.net/~didier-barvaux/rohc/main/revision/155. The fix is the same that the one for the 1.3.x branch.

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Errata for comment #7: revision 155 was a mistake, the correct one is revision 156, see http://bazaar.launchpad.net/~didier-barvaux/rohc/main/revision/156.

Revision history for this message
Didier Barvaux (didier-barvaux) wrote :

Fix released in version 1.3.1.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.