[SGSN] Some IEs in ATTACH REQUEST can be longer in 24.008

The original length checks were based on 04.08, but 24.008 allows longer IEs.
author: Harald Welte <laforge@gnumonks.org> 2010-07-03 21:20:06 +0200
committer: Harald Welte <laforge@gnumonks.org> 2010-07-03 21:20:06 +0200
commit: c48ac4750dda4350d2e0a67b6ecbe3496b483f1a (patch)
tree: c9ad5d143d9961f3b24c32691234151fcaca58b0 /openbsc/src/gprs
parent: 4b6ac1edb95f40022bb1cf918a61412a4358b648 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c
index e07180272..817092e31 100644
--- a/openbsc/src/gprs/gprs_gmm.c
+++ b/openbsc/src/gprs/gprs_gmm.c
@@ -626,7 +626,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg,
 	/* MS network capability 10.5.5.12 */
 	msnc_len = *cur++;
 	msnc = cur;
-	if (msnc_len > 2)
+	if (msnc_len > 8)
 		goto err_inval;
 	cur += msnc_len;
 
@@ -657,6 +657,8 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg,
 	/* MS Radio Access Capability 10.5.5.12a */
 	ms_ra_acc_cap_len = *cur++;
 	ms_ra_acc_cap = cur;
+	if (ms_ra_acc_cap_len > 51)
+		goto err_inval;
 
 	/* Optional: Old P-TMSI Signature, Requested READY timer, TMSI Status */
author	Harald Welte <laforge@gnumonks.org>	2010-07-03 21:20:06 +0200
committer	Harald Welte <laforge@gnumonks.org>	2010-07-03 21:20:06 +0200
commit	c48ac4750dda4350d2e0a67b6ecbe3496b483f1a (patch)
tree	c9ad5d143d9961f3b24c32691234151fcaca58b0 /openbsc/src/gprs
parent	4b6ac1edb95f40022bb1cf918a61412a4358b648 (diff)