aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/openbsc/gprs_sgsn.h3
-rw-r--r--src/gprs/gprs_gmm.c2
2 files changed, 3 insertions, 2 deletions
diff --git a/include/openbsc/gprs_sgsn.h b/include/openbsc/gprs_sgsn.h
index 0aed77735..e641e9918 100644
--- a/include/openbsc/gprs_sgsn.h
+++ b/include/openbsc/gprs_sgsn.h
@@ -51,6 +51,7 @@ enum gprs_t3350_mode {
};
#define MS_RADIO_ACCESS_CAPA_MAX_LENGTH 255
+#define MS_NETWORK_CAPA_MAX_LENGTH 32
/* According to TS 03.60, Table 5: SGSN MM and PDP Contexts */
/* Extended by 3GPP TS 23.060, Table 6: SGSN MM and PDP Contexts */
@@ -82,7 +83,7 @@ struct sgsn_mm_ctx {
uint8_t len;
} ms_radio_access_capa;
struct {
- uint8_t buf[4]; /* 10.5.5.12 */
+ uint8_t buf[MS_NETWORK_CAPA_MAX_LENGTH]; /* 10.5.5.12 */
uint8_t len;
} ms_network_capa;
uint16_t drx_parms;
diff --git a/src/gprs/gprs_gmm.c b/src/gprs/gprs_gmm.c
index 40733b102..cf6cecf91 100644
--- a/src/gprs/gprs_gmm.c
+++ b/src/gprs/gprs_gmm.c
@@ -644,7 +644,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg,
/* MS network capability 10.5.5.12 */
msnc_len = *cur++;
msnc = cur;
- if (msnc_len > 8)
+ if (msnc_len > MS_NETWORK_CAPA_MAX_LENGTH)
goto err_inval;
cur += msnc_len;