diff options
author | Vadim Yanitskiy <vyanitskiy@sysmocom.de> | 2020-07-29 05:28:42 +0700 |
---|---|---|
committer | Vadim Yanitskiy <vyanitskiy@sysmocom.de> | 2020-07-29 05:28:54 +0700 |
commit | 72e0f09c03300974049b51d85649dadda970c011 (patch) | |
tree | ebe80000a7d97aa7c2a52b903cc06640d9c8adf5 | |
parent | d9fe7110ea2a30ce0e33b1dd6a99848cb711b489 (diff) |
gsm_04_14: fix off-by-one error in create_gsm0414_msg()
This byte is redundant, and must not be allocated in this function.
A consequence of this error is that the MS alwats interprets the
"Sub-channel" IE as test loop A regardless of the specified type.
Here is an example of malformed Close TCH loop (type C) message:
0f 00 00 04
x. .. .. .. - Skip indicator (see 3GPP TS 24.007)
.x .. .. .. - Protocol discriminator (see 3GPP TS 24.007)
.. xx .. .. - Message type (CLOSE_TCH_LOOP_CMD)
.. .. !! .. - (!) Redundant byte from create_gsm0414_msg()
.. .. .. xx - (!) The actual "Sub-channel" IE (loop C, X=0)
Change-Id: Ia47225b884439dcd43be307e7351994e55fcd50d
-rw-r--r-- | src/libmsc/gsm_04_14.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/libmsc/gsm_04_14.c b/src/libmsc/gsm_04_14.c index 811655813..03c06fde9 100644 --- a/src/libmsc/gsm_04_14.c +++ b/src/libmsc/gsm_04_14.c @@ -43,7 +43,7 @@ static struct msgb *create_gsm0414_msg(uint8_t msg_type) struct msgb *msg = gsm48_msgb_alloc_name("GSM 04.14"); struct gsm48_hdr *gh; - gh = (struct gsm48_hdr *) msgb_put(msg, sizeof(*gh) + 1); + gh = (struct gsm48_hdr *) msgb_put(msg, sizeof(*gh)); gh->proto_discr = GSM48_PDISC_TEST; gh->msg_type = msg_type; return msg; |