diff options
authorHarald Welte <laforge@gnumonks.org>2018-02-24 19:15:04 +0100
committerHarald Welte <laforge@gnumonks.org>2018-02-24 19:26:42 +0100
commitd3875a8fcbf8caf5e9c0180c4f9672d2cc9eac9b (patch)
parent84de287da02f0c4392a8b1d482ee5d4d3bb4a8ff (diff)
paging.c: Fix encoding of optional Mobile ID RR PAGING TYPE 1 / 2
It seems we have been encoding PAGING REQUEST TYPE 1 and PAGING REQUEST TYPE 2 erroneously all the time. The optional last Mobile Identity in those messages are TLV, not just LV. This is a quite serious bug in one of the most fundamental parts of the Radio Resource layer, and it has likely stayed hidden for a long time as usually in small networks there's a low paging load, reducing the amount of pressure to put multiple identities in one PAGING REQUEST message. Change-Id: Icc320ed130d0c29e9260a6a2aabe52e7346c3888 Closes: OS#2993
1 files changed, 2 insertions, 2 deletions
diff --git a/src/common/paging.c b/src/common/paging.c
index c5c23d76..4c4fd19e 100644
--- a/src/common/paging.c
+++ b/src/common/paging.c
@@ -290,7 +290,7 @@ static int fill_paging_type_1(uint8_t *out_buf, const uint8_t *identity1_lv,
pt1->cneed2 = chan2 & 3;
cur = lv_put(pt1->data, identity1_lv[0], identity1_lv+1);
if (identity2_lv)
- cur = lv_put(cur, identity2_lv[0], identity2_lv+1);
+ cur = tlv_put(cur, GSM48_IE_MOBILE_ID, identity2_lv[0], identity2_lv+1);
pt1->l2_plen = L2_PLEN(cur - out_buf);
@@ -316,7 +316,7 @@ static int fill_paging_type_2(uint8_t *out_buf, const uint8_t *tmsi1_lv,
cur = out_buf + sizeof(*pt2);
if (identity3_lv)
- cur = lv_put(pt2->data, identity3_lv[0], identity3_lv+1);
+ cur = tlv_put(pt2->data, GSM48_IE_MOBILE_ID, identity3_lv[0], identity3_lv+1);
pt2->l2_plen = L2_PLEN(cur - out_buf);