diff options
Diffstat (limited to 'openbsc/src/gprs')
| -rw-r--r-- | openbsc/src/gprs/gb_proxy_main.c | 1 | ||||
| -rw-r--r-- | openbsc/src/gprs/gprs_gmm.c | 14 | ||||
| -rw-r--r-- | openbsc/src/gprs/gprs_llc.c | 2 | ||||
| -rw-r--r-- | openbsc/src/gprs/sgsn_libgtp.c | 2 | ||||
| -rw-r--r-- | openbsc/src/gprs/sgsn_main.c | 1 |
5 files changed, 12 insertions, 8 deletions
diff --git a/openbsc/src/gprs/gb_proxy_main.c b/openbsc/src/gprs/gb_proxy_main.c index 028f9896f..ee8a87002 100644 --- a/openbsc/src/gprs/gb_proxy_main.c +++ b/openbsc/src/gprs/gb_proxy_main.c @@ -36,7 +36,6 @@ #include <osmocom/core/talloc.h> #include <osmocom/core/select.h> #include <osmocom/core/rate_ctr.h> -#include <osmocom/core/process.h> #include <openbsc/signal.h> #include <openbsc/debug.h> diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c index 46c49318f..098e4c25b 100644 --- a/openbsc/src/gprs/gprs_gmm.c +++ b/openbsc/src/gprs/gprs_gmm.c @@ -675,8 +675,9 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, /* MS Radio Access Capability 10.5.5.12a */ ms_ra_acc_cap_len = *cur++; ms_ra_acc_cap = cur; - if (ms_ra_acc_cap_len > 51) + if (ms_ra_acc_cap_len > 52) goto err_inval; + cur += ms_ra_acc_cap_len; /* Optional: Old P-TMSI Signature, Requested READY timer, TMSI Status */ @@ -735,8 +736,10 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, ctx->cell_id = cid; /* Update MM Context with other data */ ctx->drx_parms = drx_par; - ctx->ms_radio_access_capa.len = ms_ra_acc_cap_len; - memcpy(ctx->ms_radio_access_capa.buf, ms_ra_acc_cap, ms_ra_acc_cap_len); + ctx->ms_radio_access_capa.len = OSMO_MIN(ms_ra_acc_cap_len, + sizeof((ctx->ms_radio_access_capa.buf))); + memcpy(ctx->ms_radio_access_capa.buf, ms_ra_acc_cap, + ctx->ms_radio_access_capa.len); ctx->ms_network_capa.len = msnc_len; memcpy(ctx->ms_network_capa.buf, msnc, msnc_len); @@ -754,7 +757,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, GPRS_ALGO_GEA0, NULL); DEBUGPC(DMM, "\n"); - return ctx ? gsm48_gmm_authorize(ctx, GMM_T3350_MODE_ATT) : 0; + return gsm48_gmm_authorize(ctx, GMM_T3350_MODE_ATT); err_inval: DEBUGPC(DMM, "\n"); @@ -910,6 +913,9 @@ static int gsm48_rx_gmm_ra_upd_req(struct sgsn_mm_ctx *mmctx, struct msgb *msg, /* MS Radio Access Capability 10.5.5.12a */ ms_ra_acc_cap_len = *cur++; ms_ra_acc_cap = cur; + if (ms_ra_acc_cap_len > 52) + return gsm48_tx_gmm_ra_upd_rej(msg, GMM_CAUSE_PROTO_ERR_UNSPEC); + cur += ms_ra_acc_cap_len; /* Optional: Old P-TMSI Signature, Requested READY timer, TMSI Status, * DRX parameter, MS network capability */ diff --git a/openbsc/src/gprs/gprs_llc.c b/openbsc/src/gprs/gprs_llc.c index f7408ef97..7d4ed51e4 100644 --- a/openbsc/src/gprs/gprs_llc.c +++ b/openbsc/src/gprs/gprs_llc.c @@ -696,7 +696,7 @@ int gprs_llc_rcvmsg(struct msgb *msg, struct tlv_parsed *tv) struct gprs_llc_llme *llme; /* FIXME: don't use the TLLI but the 0xFFFF unassigned? */ llme = llme_alloc(msgb_tlli(msg)); - LOGP(DLLC, LOGL_DEBUG, "LLC RX: unknown TLLI 0x08x, " + LOGP(DLLC, LOGL_DEBUG, "LLC RX: unknown TLLI 0x%08x, " "creating LLME on the fly\n", msgb_tlli(msg)); lle = &llme->lle[llhp.sapi]; } else { diff --git a/openbsc/src/gprs/sgsn_libgtp.c b/openbsc/src/gprs/sgsn_libgtp.c index f193aa308..71694a433 100644 --- a/openbsc/src/gprs/sgsn_libgtp.c +++ b/openbsc/src/gprs/sgsn_libgtp.c @@ -500,8 +500,6 @@ int sgsn_rx_sndcp_ud_ind(struct gprs_ra_id *ra_id, int32_t tlli, uint8_t nsapi, rate_ctr_add(&mmctx->ctrg->ctr[GMM_CTR_BYTES_UDATA_IN], npdu_len); return gtp_data_req(pdp->ggsn->gsn, pdp->lib, npdu, npdu_len); - - return gtp_data_req(pdp->ggsn->gsn, pdp->lib, npdu, npdu_len); } /* libgtp select loop integration */ diff --git a/openbsc/src/gprs/sgsn_main.c b/openbsc/src/gprs/sgsn_main.c index bfa2e52c8..fa61e0e3b 100644 --- a/openbsc/src/gprs/sgsn_main.c +++ b/openbsc/src/gprs/sgsn_main.c @@ -281,5 +281,6 @@ int main(int argc, char **argv) exit(3); } + /* not reached */ exit(0); } |