From dbf8411b2fbf5e22c4b2539e3b25bc957d932732 Mon Sep 17 00:00:00 2001 From: Jonathan Santos Date: Fri, 10 Jun 2011 13:16:20 -0400 Subject: gprs: Fix segfault on attach caused by MS Radio Access Capability larger than 14 octets Newer phones are using a MS Radio Access Capability larger than the 14 octets specified in 04.08 Release 1998 (up to 50 octets in Rel 9). This caused the SGSN to crash since it only allocated storage for 14 octets but tried to store up to 51 octets. TS 23.060 version 9.7.0 Release 9 section 6.14.1.1 states: To allow for the addition of future radio technologies, frequency bands, and other enhancements, the SGSN shall store the MS radio access capability even if it is larger than specified in TS 24.008 [13], up to a maximum size of 255 octets. --- src/gprs/gprs_gmm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/gprs/gprs_gmm.c') diff --git a/src/gprs/gprs_gmm.c b/src/gprs/gprs_gmm.c index 0730388eb..40733b102 100644 --- a/src/gprs/gprs_gmm.c +++ b/src/gprs/gprs_gmm.c @@ -675,7 +675,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, /* MS Radio Access Capability 10.5.5.12a */ ms_ra_acc_cap_len = *cur++; ms_ra_acc_cap = cur; - if (ms_ra_acc_cap_len > 51) + if (ms_ra_acc_cap_len > MS_RADIO_ACCESS_CAPA_MAX_LENGTH) goto err_inval; /* Optional: Old P-TMSI Signature, Requested READY timer, TMSI Status */ -- cgit v1.2.3