From 681be20a8c32331dcb44db2ec0e99294f1eb89ba Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Sat, 24 Feb 2018 23:57:33 +0100
Subject: paging: Fix encoding of PAGING TYPE 3 Rest Octets

The RR PAGING TYPE 3 Rest Octets IE contains (among other things) the
channel type needed for Mobile Identity 3 + 4 in the paging message.

We did not only "forget" to encode those channel type needed field, but
we have a completely wrong definition of those rest octets in
libosmocore/include/gsm/protocol/gsm04_08.h "struct gsm48_paging3"

Change-Id: I3a0bca6707ce95b68459c89f5b2b07f1590a1ab3
Closes: OS#2994
---
 src/common/paging.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

(limited to 'src/common/paging.c')

diff --git a/src/common/paging.c b/src/common/paging.c
index 4c4fd19e..d2acd70a 100644
--- a/src/common/paging.c
+++ b/src/common/paging.c
@@ -323,13 +323,12 @@ static int fill_paging_type_2(uint8_t *out_buf, const uint8_t *tmsi1_lv,
 	return cur - out_buf;
 }
 
-static int fill_paging_type_3(uint8_t *out_buf, const uint8_t *tmsi1_lv,
-				uint8_t cneed1, const uint8_t *tmsi2_lv,
-				uint8_t cneed2, const uint8_t *tmsi3_lv,
-				const uint8_t *tmsi4_lv)
+static int fill_paging_type_3(uint8_t *out_buf, const uint8_t *tmsi1_lv, uint8_t cneed1,
+				const uint8_t *tmsi2_lv, uint8_t cneed2,
+				const uint8_t *tmsi3_lv, uint8_t cneed3,
+				const uint8_t *tmsi4_lv, uint8_t cneed4)
 {
 	struct gsm48_paging3 *pt3 = (struct gsm48_paging3 *) out_buf;
-	uint8_t *cur;
 
 	memset(out_buf, 0, sizeof(*pt3));
 
@@ -343,9 +342,12 @@ static int fill_paging_type_3(uint8_t *out_buf, const uint8_t *tmsi1_lv,
 	tmsi_mi_to_uint(&pt3->tmsi3, tmsi3_lv);
 	tmsi_mi_to_uint(&pt3->tmsi4, tmsi4_lv);
 
-	cur = out_buf + sizeof(*pt3);
+	/* The structure definition in libosmocore is wrong. It includes as last
+	 * byte some invalid definition of chneed3/chneed4, so we must do this by hand
+	 * here and cannot rely on sizeof(*pt3) */
+	out_buf[20] = (0x23 & ~0xf8) | 0x80 | (cneed3 & 3) << 5 | (cneed4 & 3) << 3;
 
-	return cur - out_buf;
+	return 21;
 }
 
 static const uint8_t empty_id_lv[] = { 0x01, 0xF0 };
@@ -469,7 +471,9 @@ int paging_gen_msg(struct paging_state *ps, uint8_t *out_buf, struct gsm_time *g
 						 pr[1]->u.paging.identity_lv,
 						 pr[1]->u.paging.chan_needed,
 						 pr[2]->u.paging.identity_lv,
-						 pr[3]->u.paging.identity_lv);
+						 pr[2]->u.paging.chan_needed,
+						 pr[3]->u.paging.identity_lv,
+						 pr[3]->u.paging.chan_needed);
 		} else if (num_pr >= 3 && num_imsi <= 1) {
 			/* 3 or 4, of which only up to 1 is IMSI */
 			DEBUGP(DPAG, "Tx PAGING TYPE 2 (2 TMSI,1 xMSI)\n");
-- 
cgit v1.2.3