diff options
author | Alexander Chemeris <Alexander.Chemeris@gmail.com> | 2013-07-03 10:12:23 +0400 |
---|---|---|
committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2013-07-04 18:34:49 +0200 |
commit | 84402c0c82e0ff9591c760485e0790cf658aef91 (patch) | |
tree | a4e39635584e40f3797c5b67bf3d038a7ff328bd /openbsc/include/openbsc/gprs_sgsn.h | |
parent | f0167ddfc26755ef44be5c6939b3491e3364ba36 (diff) |
sgsn: Fix lengths of MS Network Capability and MS Radio Access Capability elements.
Original code was inconsistent about lengths and could lead to out
of bounds write. Lengths were also inconsistent with the TS 24.008.
Fixes: Coverity CID 1040714.
Diffstat (limited to 'openbsc/include/openbsc/gprs_sgsn.h')
-rw-r--r-- | openbsc/include/openbsc/gprs_sgsn.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/openbsc/include/openbsc/gprs_sgsn.h b/openbsc/include/openbsc/gprs_sgsn.h index 6a653b7fe..8074d8f9b 100644 --- a/openbsc/include/openbsc/gprs_sgsn.h +++ b/openbsc/include/openbsc/gprs_sgsn.h @@ -80,12 +80,12 @@ struct sgsn_mm_ctx { /* CKSN */ enum gprs_ciph_algo ciph_algo; struct { - uint8_t buf[52]; /* 10.5.5.12a */ uint8_t len; + uint8_t buf[50]; /* GSM 04.08 10.5.5.12a, extended in TS 24.008 */ } ms_radio_access_capa; struct { - uint8_t buf[4]; /* 10.5.5.12 */ uint8_t len; + uint8_t buf[8]; /* GSM 04.08 10.5.5.12, extended in TS 24.008 */ } ms_network_capa; uint16_t drx_parms; int mnrg; /* MS reported to HLR? */ |