gprs: Fix segfault on attach caused by MS Radio Access Capability larger than 14 octets

Newer phones are using a MS Radio Access Capability larger than the
14 octets specified in 04.08 Release 1998 (up to 50 octets in Rel 9).
This caused the SGSN to crash since it only allocated storage for
14 octets but tried to store up to 51 octets.

TS 23.060 version 9.7.0 Release 9 section 6.14.1.1 states:
  To allow for the addition of future radio technologies, frequency
  bands, and other enhancements, the SGSN shall store the MS radio
  access capability even if it is larger than specified in TS 24.008
  [13], up to a maximum size of 255 octets.

2 files changed, 3 insertions, 3 deletions

diff --git a/openbsc/include/openbsc/gprs_sgsn.h b/openbsc/include/openbsc/gprs_sgsn.h
index 62fbb85a5..7cc61f43b 100644
--- a/openbsc/include/openbsc/gprs_sgsn.h
+++ b/openbsc/include/openbsc/gprs_sgsn.h
@@ -50,7 +50,7 @@ enum gprs_t3350_mode {
 	GMM_T3350_MODE_PTMSI_REALL,
 };
 
-#define MS_RADIO_ACCESS_CAPA
+#define MS_RADIO_ACCESS_CAPA_MAX_LENGTH 255
 
 /* According to TS 03.60, Table 5: SGSN MM and PDP Contexts */
 /* Extended by 3GPP TS 23.060, Table 6: SGSN MM and PDP Contexts */
@@ -78,7 +78,7 @@ struct sgsn_mm_ctx {
 	/* CKSN */
 	enum gprs_ciph_algo	ciph_algo;
 	struct {
-		uint8_t	buf[52];	/* 10.5.5.12a */
+		uint8_t	buf[MS_RADIO_ACCESS_CAPA_MAX_LENGTH];	/* 10.5.5.12a */
 		uint8_t	len;
 	} ms_radio_access_capa;
 	struct {
diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c
index 3c450d15a..5ccb3a7e1 100644
--- a/openbsc/src/gprs/gprs_gmm.c
+++ b/openbsc/src/gprs/gprs_gmm.c
@@ -675,7 +675,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg,
 	/* MS Radio Access Capability 10.5.5.12a */
 	ms_ra_acc_cap_len = *cur++;
 	ms_ra_acc_cap = cur;
-	if (ms_ra_acc_cap_len > 52)
+	if (ms_ra_acc_cap_len > MS_RADIO_ACCESS_CAPA_MAX_LENGTH)
 		goto err_inval;
 	cur += ms_ra_acc_cap_len;