path: root/src
diff options
authorJonathan Santos <jrsantos@jonathanrsantos.com>2011-06-10 13:16:20 -0400
committerJonathan Santos <jrsantos@jonathanrsantos.com>2011-06-23 15:30:30 -0400
commitdbf8411b2fbf5e22c4b2539e3b25bc957d932732 (patch)
tree4faf5c5c5ac111e8f33b7a76064cddbf19651856 /src
parentbab770e493ccd46aadeb8f18cc8ad2dff46047ea (diff)
gprs: Fix segfault on attach caused by MS Radio Access Capability larger than 14 octets
Newer phones are using a MS Radio Access Capability larger than the 14 octets specified in 04.08 Release 1998 (up to 50 octets in Rel 9). This caused the SGSN to crash since it only allocated storage for 14 octets but tried to store up to 51 octets. TS 23.060 version 9.7.0 Release 9 section states: To allow for the addition of future radio technologies, frequency bands, and other enhancements, the SGSN shall store the MS radio access capability even if it is larger than specified in TS 24.008 [13], up to a maximum size of 255 octets.
Diffstat (limited to 'src')
1 files changed, 1 insertions, 1 deletions
diff --git a/src/gprs/gprs_gmm.c b/src/gprs/gprs_gmm.c
index 0730388eb..40733b102 100644
--- a/src/gprs/gprs_gmm.c
+++ b/src/gprs/gprs_gmm.c
@@ -675,7 +675,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg,
/* MS Radio Access Capability */
ms_ra_acc_cap_len = *cur++;
ms_ra_acc_cap = cur;
- if (ms_ra_acc_cap_len > 51)
+ if (ms_ra_acc_cap_len > MS_RADIO_ACCESS_CAPA_MAX_LENGTH)
goto err_inval;
/* Optional: Old P-TMSI Signature, Requested READY timer, TMSI Status */