diff options
-rw-r--r-- | include/openbsc/gprs_sgsn.h | 3 | ||||
-rw-r--r-- | src/gprs/gprs_gmm.c | 2 |
2 files changed, 3 insertions, 2 deletions
diff --git a/include/openbsc/gprs_sgsn.h b/include/openbsc/gprs_sgsn.h index 0aed77735..e641e9918 100644 --- a/include/openbsc/gprs_sgsn.h +++ b/include/openbsc/gprs_sgsn.h @@ -51,6 +51,7 @@ enum gprs_t3350_mode { }; #define MS_RADIO_ACCESS_CAPA_MAX_LENGTH 255 +#define MS_NETWORK_CAPA_MAX_LENGTH 32 /* According to TS 03.60, Table 5: SGSN MM and PDP Contexts */ /* Extended by 3GPP TS 23.060, Table 6: SGSN MM and PDP Contexts */ @@ -82,7 +83,7 @@ struct sgsn_mm_ctx { uint8_t len; } ms_radio_access_capa; struct { - uint8_t buf[4]; /* 10.5.5.12 */ + uint8_t buf[MS_NETWORK_CAPA_MAX_LENGTH]; /* 10.5.5.12 */ uint8_t len; } ms_network_capa; uint16_t drx_parms; diff --git a/src/gprs/gprs_gmm.c b/src/gprs/gprs_gmm.c index 40733b102..cf6cecf91 100644 --- a/src/gprs/gprs_gmm.c +++ b/src/gprs/gprs_gmm.c @@ -644,7 +644,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, /* MS network capability 10.5.5.12 */ msnc_len = *cur++; msnc = cur; - if (msnc_len > 8) + if (msnc_len > MS_NETWORK_CAPA_MAX_LENGTH) goto err_inval; cur += msnc_len; |