From e674c44c3073705ae46b668cd86100bd9c90db98 Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Sun, 1 Sep 2019 22:30:58 +0200
Subject: cbsp: Fix decoding of WRITE-REPLACE payload

The user length is the first IE *in* the fixed-length TV, make sure
cbsp_dec_write_repl() respects that.

Change-Id: I864cafac2466a89a4bd9644bc73363fff2babd03
---
 src/gsm/cbsp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/gsm/cbsp.c b/src/gsm/cbsp.c
index 591ff251..ccc2df53 100644
--- a/src/gsm/cbsp.c
+++ b/src/gsm/cbsp.c
@@ -687,8 +687,8 @@ static int cbsp_dec_write_repl(struct osmo_cbsp_write_replace *out, const struct
 			}
 			page = talloc_zero(ctx, struct osmo_cbsp_content);
 			OSMO_ASSERT(page);
-			page->user_len = *(ie-1); /* length byte before payload */
-			memcpy(page->data, ie, sizeof(page->data));
+			page->user_len = ie[0]; /* length byte before payload */
+			memcpy(page->data, ie+1, sizeof(page->data));
 			llist_add_tail(&page->list, &out->u.cbs.msg_content);
 		}
 	} else {
-- 
cgit v1.2.3