aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJonathan Santos <jrsantos@jonathanrsantos.com>2011-06-10 13:16:20 -0400
committerJonathan Santos <jrsantos@jonathanrsantos.com>2011-06-23 15:30:30 -0400
commitdbf8411b2fbf5e22c4b2539e3b25bc957d932732 (patch)
tree4faf5c5c5ac111e8f33b7a76064cddbf19651856
parentbab770e493ccd46aadeb8f18cc8ad2dff46047ea (diff)
gprs: Fix segfault on attach caused by MS Radio Access Capability larger than 14 octets
Newer phones are using a MS Radio Access Capability larger than the 14 octets specified in 04.08 Release 1998 (up to 50 octets in Rel 9). This caused the SGSN to crash since it only allocated storage for 14 octets but tried to store up to 51 octets. TS 23.060 version 9.7.0 Release 9 section 6.14.1.1 states: To allow for the addition of future radio technologies, frequency bands, and other enhancements, the SGSN shall store the MS radio access capability even if it is larger than specified in TS 24.008 [13], up to a maximum size of 255 octets.
-rw-r--r--include/openbsc/gprs_sgsn.h4
-rw-r--r--src/gprs/gprs_gmm.c2
2 files changed, 3 insertions, 3 deletions
diff --git a/include/openbsc/gprs_sgsn.h b/include/openbsc/gprs_sgsn.h
index b470c536c..0aed77735 100644
--- a/include/openbsc/gprs_sgsn.h
+++ b/include/openbsc/gprs_sgsn.h
@@ -50,7 +50,7 @@ enum gprs_t3350_mode {
GMM_T3350_MODE_PTMSI_REALL,
};
-#define MS_RADIO_ACCESS_CAPA
+#define MS_RADIO_ACCESS_CAPA_MAX_LENGTH 255
/* According to TS 03.60, Table 5: SGSN MM and PDP Contexts */
/* Extended by 3GPP TS 23.060, Table 6: SGSN MM and PDP Contexts */
@@ -78,7 +78,7 @@ struct sgsn_mm_ctx {
/* CKSN */
enum gprs_ciph_algo ciph_algo;
struct {
- uint8_t buf[14]; /* 10.5.5.12a */
+ uint8_t buf[MS_RADIO_ACCESS_CAPA_MAX_LENGTH]; /* 10.5.5.12a */
uint8_t len;
} ms_radio_access_capa;
struct {
diff --git a/src/gprs/gprs_gmm.c b/src/gprs/gprs_gmm.c
index 0730388eb..40733b102 100644
--- a/src/gprs/gprs_gmm.c
+++ b/src/gprs/gprs_gmm.c
@@ -675,7 +675,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg,
/* MS Radio Access Capability 10.5.5.12a */
ms_ra_acc_cap_len = *cur++;
ms_ra_acc_cap = cur;
- if (ms_ra_acc_cap_len > 51)
+ if (ms_ra_acc_cap_len > MS_RADIO_ACCESS_CAPA_MAX_LENGTH)
goto err_inval;
/* Optional: Old P-TMSI Signature, Requested READY timer, TMSI Status */