gsm48: Add size checks to the paging response mi parsing.

We go from no size checks to some content checking. We should refactor the whole classmark2 + mi parsing that is used throughout the code into one place with proper size checking. This is the start and requires a new libosmocore as well.
author: Holger Hans Peter Freyther <zecke@selfish.org> 2010-05-16 01:51:14 +0800
committer: Holger Hans Peter Freyther <zecke@selfish.org> 2010-05-16 01:51:14 +0800
commit: f6903dee891e4e6d7853e35c6fdca22c78559225 (patch)
tree: 53b8302beb597606c3a0b3c343a25ef5567e209d /openbsc/src/gsm_04_08.c
parent: 5d65806472594ecb3f8d4808e311a9d0271fb086 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/openbsc/src/gsm_04_08.c b/openbsc/src/gsm_04_08.c
index eecf76ff0..06e19ac0a 100644
--- a/openbsc/src/gsm_04_08.c
+++ b/openbsc/src/gsm_04_08.c
@@ -785,13 +785,16 @@ static int gsm48_rx_rr_pag_resp(struct msgb *msg)
 {
 	struct gsm_bts *bts = msg->lchan->ts->trx->bts;
 	struct gsm48_hdr *gh = msgb_l3(msg);
+	struct gsm48_pag_resp *resp;
 	u_int8_t *classmark2_lv = gh->data + 1;
 	u_int8_t mi_type;
 	char mi_string[GSM48_MI_SIZE];
 	struct gsm_subscriber *subscr = NULL;
 	int rc = 0;
 
-	gsm48_paging_extract_mi(msg, mi_string, &mi_type);
+	resp = (struct gsm48_pag_resp *) &gh->data[0];
+	gsm48_paging_extract_mi(resp, msgb_l3len(msg) - sizeof(*gh),
+				mi_string, &mi_type);
 	DEBUGP(DRR, "PAGING RESPONSE: mi_type=0x%02x MI(%s)\n",
 		mi_type, mi_string);
author	Holger Hans Peter Freyther <zecke@selfish.org>	2010-05-16 01:51:14 +0800
committer	Holger Hans Peter Freyther <zecke@selfish.org>	2010-05-16 01:51:14 +0800
commit	f6903dee891e4e6d7853e35c6fdca22c78559225 (patch)
tree	53b8302beb597606c3a0b3c343a25ef5567e209d /openbsc/src/gsm_04_08.c
parent	5d65806472594ecb3f8d4808e311a9d0271fb086 (diff)