diff options
| author | Harald Welte <laforge@gnumonks.org> | 2011-07-27 23:35:38 +0200 |
|---|---|---|
| committer | Harald Welte <laforge@gnumonks.org> | 2011-07-27 23:35:38 +0200 |
| commit | 4b2ed35b8f35b86ad19e9ff12485dba8adc26e50 (patch) | |
| tree | 87f49f997ff1ee1668724be51195d8f7e5537f99 /openbsc/include/openbsc/gprs_sgsn.h | |
| parent | 074b2b24e00fa4f6e39e2f5025ec628663ac95d8 (diff) | |
GPRS: Fix buffer overflow in case of very long MS RA CAP IE
The MS Radio Access Capability IE can be _very_ long in some recent
high-end mobile phones, way beyond the old 14-byte limit. We increase
our array to 52 bytes, and make sure not to overflow that buffer.
Diffstat (limited to 'openbsc/include/openbsc/gprs_sgsn.h')
| -rw-r--r-- | openbsc/include/openbsc/gprs_sgsn.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/openbsc/include/openbsc/gprs_sgsn.h b/openbsc/include/openbsc/gprs_sgsn.h index 5023d0684..62fbb85a5 100644 --- a/openbsc/include/openbsc/gprs_sgsn.h +++ b/openbsc/include/openbsc/gprs_sgsn.h @@ -78,7 +78,7 @@ struct sgsn_mm_ctx { /* CKSN */ enum gprs_ciph_algo ciph_algo; struct { - uint8_t buf[14]; /* 10.5.5.12a */ + uint8_t buf[52]; /* 10.5.5.12a */ uint8_t len; } ms_radio_access_capa; struct { |