Dict parsing question

[Robert Middleton]

Hi,

I've got a message that my library(dbus-cxx) currently crashes on due
to becoming misaligned on the parsing of the array.  Here's the
relevant part of the packet that it crashes on:

0040   05 61 7b 73 76 7d 00 00 c8 02 00 00 00 00 00 00   .a{sv}..........
0050   08 00 00 00 50 61 69 72 77 69 73 65 00 02 61 73   ....Pairwise..as
0060   00 00 00 00 41 00 00 00 08 00 00 00 63 63 6d 70   ....A.......ccmp
0070   2d 32 35 36 00 00 00 00 08 00 00 00 67 63 6d 70   -256........gcmp
0080   2d 32 35 36 00 00 00 00 04 00 00 00 63 63 6d 70   -256........ccmp
0090   00 00 00 00 04 00 00 00 67 63 6d 70 00 00 00 00   ........gcmp....
00a0   04 00 00 00 74 6b 69 70 00 00 00 00 00 00 00 00   ....tkip........

Specifically, it is crashing on parsing the 'gcmp' entry in the dict.
This is because it assumes that the 'ccmp' string entry ends at
address 0x91 in this dump(terminating NUL byte), so it will then align
to the next 8-byte boundary before attempting to decode the string
length.  The next 8-byte boundary is the string 'gcmp', which means
that it tries to decode the length as 0x706d6367, which is clearly
very wrong.

I was under the assumption that the next dict entry should start on
the 8-byte boundary, but it appears to be starting on a 4-byte
boundary with the length of the string.  I can't quite figure out how
this makes sense according to the spec, since if the string was not
counting the NUL byte as part of the marshaling I would expect the
length of the string to be shifted 4 bytes left.  Am I missing
something here?

-Robert Middleton