sgsn: Fix lengths of MS Network Capability and MS Radio Access Capability elements.

Original code was inconsistent about lengths and could lead to out of bounds write. Lengths were also inconsistent with the TS 24.008. Fixes: Coverity CID 1040714.
author: Alexander Chemeris <Alexander.Chemeris@gmail.com> 2013-07-03 10:12:23 +0400
committer: Holger Hans Peter Freyther <holger@moiji-mobile.com> 2013-07-04 18:34:49 +0200
commit: 84402c0c82e0ff9591c760485e0790cf658aef91 (patch)
tree: a4e39635584e40f3797c5b67bf3d038a7ff328bd /openbsc/include
parent: f0167ddfc26755ef44be5c6939b3491e3364ba36 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/openbsc/include/openbsc/gprs_sgsn.h b/openbsc/include/openbsc/gprs_sgsn.h
index 6a653b7fe..8074d8f9b 100644
--- a/openbsc/include/openbsc/gprs_sgsn.h
+++ b/openbsc/include/openbsc/gprs_sgsn.h
@@ -80,12 +80,12 @@ struct sgsn_mm_ctx {
 	/* CKSN */
 	enum gprs_ciph_algo	ciph_algo;
 	struct {
-		uint8_t	buf[52];	/* 10.5.5.12a */
 		uint8_t	len;
+		uint8_t	buf[50];	/* GSM 04.08 10.5.5.12a, extended in TS 24.008 */
 	} ms_radio_access_capa;
 	struct {
-		uint8_t	buf[4];		/* 10.5.5.12 */
 		uint8_t	len;
+		uint8_t	buf[8];		/* GSM 04.08 10.5.5.12, extended in TS 24.008 */
 	} ms_network_capa;
 	uint16_t		drx_parms;
 	int			mnrg;	/* MS reported to HLR? */
author	Alexander Chemeris <Alexander.Chemeris@gmail.com>	2013-07-03 10:12:23 +0400
committer	Holger Hans Peter Freyther <holger@moiji-mobile.com>	2013-07-04 18:34:49 +0200
commit	84402c0c82e0ff9591c760485e0790cf658aef91 (patch)
tree	a4e39635584e40f3797c5b67bf3d038a7ff328bd /openbsc/include
parent	f0167ddfc26755ef44be5c6939b3491e3364ba36 (diff)