gprs: Fix possible segfault on attach caused by MS Network Capability larger than 4 octets

The SGSN was allowing MS Network Capability of up to 8 octets, but only allocating
storage for 4 octets.

TS 23.060 version 9.7.0 Release 9 section 6.14.2 states:
  To allow for the addition of future features, the SGSN shall
  store the UE Network Capability and the MS Network Capability
  even if either or both is larger than specified in TS 24.008
  [13]/TS 24.301 [102], up to a maximum size of 32 octets for
  each IE.

2 files changed, 3 insertions, 2 deletions

diff --git a/openbsc/include/openbsc/gprs_sgsn.h b/openbsc/include/openbsc/gprs_sgsn.h
index 7cc61f43b..0fa49a775 100644
--- a/openbsc/include/openbsc/gprs_sgsn.h
+++ b/openbsc/include/openbsc/gprs_sgsn.h
@@ -51,6 +51,7 @@ enum gprs_t3350_mode {
 };
 
 #define MS_RADIO_ACCESS_CAPA_MAX_LENGTH 255
+#define MS_NETWORK_CAPA_MAX_LENGTH 32
 
 /* According to TS 03.60, Table 5: SGSN MM and PDP Contexts */
 /* Extended by 3GPP TS 23.060, Table 6: SGSN MM and PDP Contexts */
@@ -82,7 +83,7 @@ struct sgsn_mm_ctx {
 		uint8_t	len;
 	} ms_radio_access_capa;
 	struct {
-		uint8_t	buf[4];		/* 10.5.5.12 */
+		uint8_t	buf[MS_NETWORK_CAPA_MAX_LENGTH];	/* 10.5.5.12 */
 		uint8_t	len;
 	} ms_network_capa;
 	uint16_t		drx_parms;
diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c
index 5ccb3a7e1..3d3e18165 100644
--- a/openbsc/src/gprs/gprs_gmm.c
+++ b/openbsc/src/gprs/gprs_gmm.c
@@ -644,7 +644,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg,
 	/* MS network capability 10.5.5.12 */
 	msnc_len = *cur++;
 	msnc = cur;
-	if (msnc_len > 8)
+	if (msnc_len > MS_NETWORK_CAPA_MAX_LENGTH)
 		goto err_inval;
 	cur += msnc_len;