From 4b2ed35b8f35b86ad19e9ff12485dba8adc26e50 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Wed, 27 Jul 2011 23:35:38 +0200 Subject: GPRS: Fix buffer overflow in case of very long MS RA CAP IE The MS Radio Access Capability IE can be _very_ long in some recent high-end mobile phones, way beyond the old 14-byte limit. We increase our array to 52 bytes, and make sure not to overflow that buffer. --- openbsc/include/openbsc/gprs_sgsn.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'openbsc/include/openbsc/gprs_sgsn.h') diff --git a/openbsc/include/openbsc/gprs_sgsn.h b/openbsc/include/openbsc/gprs_sgsn.h index 5023d0684..62fbb85a5 100644 --- a/openbsc/include/openbsc/gprs_sgsn.h +++ b/openbsc/include/openbsc/gprs_sgsn.h @@ -78,7 +78,7 @@ struct sgsn_mm_ctx { /* CKSN */ enum gprs_ciph_algo ciph_algo; struct { - uint8_t buf[14]; /* 10.5.5.12a */ + uint8_t buf[52]; /* 10.5.5.12a */ uint8_t len; } ms_radio_access_capa; struct { -- cgit v1.2.3