diff options
author | Jonathan Santos <jrsantos@jonathanrsantos.com> | 2011-06-10 15:22:11 -0400 |
---|---|---|
committer | Jonathan Santos <jrsantos@jonathanrsantos.com> | 2011-06-23 15:30:30 -0400 |
commit | eb2730e646aa5f38614c8a145088445f0cd67eca (patch) | |
tree | 3dddef894f925323270ba42a6516aff2b00f2b46 /src | |
parent | dbf8411b2fbf5e22c4b2539e3b25bc957d932732 (diff) |
gprs: Fix possible segfault on attach caused by MS Network Capability larger than 4 octets
The SGSN was allowing MS Network Capability of up to 8 octets, but only allocating
storage for 4 octets.
TS 23.060 version 9.7.0 Release 9 section 6.14.2 states:
To allow for the addition of future features, the SGSN shall
store the UE Network Capability and the MS Network Capability
even if either or both is larger than specified in TS 24.008
[13]/TS 24.301 [102], up to a maximum size of 32 octets for
each IE.
Diffstat (limited to 'src')
-rw-r--r-- | src/gprs/gprs_gmm.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/gprs/gprs_gmm.c b/src/gprs/gprs_gmm.c index 40733b102..cf6cecf91 100644 --- a/src/gprs/gprs_gmm.c +++ b/src/gprs/gprs_gmm.c @@ -644,7 +644,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, /* MS network capability 10.5.5.12 */ msnc_len = *cur++; msnc = cur; - if (msnc_len > 8) + if (msnc_len > MS_NETWORK_CAPA_MAX_LENGTH) goto err_inval; cur += msnc_len; |