diff options
| -rw-r--r-- | openbsc/src/gprs/gprs_gmm.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c index e07180272..817092e31 100644 --- a/openbsc/src/gprs/gprs_gmm.c +++ b/openbsc/src/gprs/gprs_gmm.c @@ -626,7 +626,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, /* MS network capability 10.5.5.12 */ msnc_len = *cur++; msnc = cur; - if (msnc_len > 2) + if (msnc_len > 8) goto err_inval; cur += msnc_len; @@ -657,6 +657,8 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, /* MS Radio Access Capability 10.5.5.12a */ ms_ra_acc_cap_len = *cur++; ms_ra_acc_cap = cur; + if (ms_ra_acc_cap_len > 51) + goto err_inval; /* Optional: Old P-TMSI Signature, Requested READY timer, TMSI Status */ |