diff options
author | Harald Welte <laforge@gnumonks.org> | 2010-07-03 21:20:06 +0200 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2010-07-03 21:20:06 +0200 |
commit | c48ac4750dda4350d2e0a67b6ecbe3496b483f1a (patch) | |
tree | c9ad5d143d9961f3b24c32691234151fcaca58b0 /openbsc/src/gprs | |
parent | 4b6ac1edb95f40022bb1cf918a61412a4358b648 (diff) |
[SGSN] Some IEs in ATTACH REQUEST can be longer in 24.008
The original length checks were based on 04.08, but 24.008 allows
longer IEs.
Diffstat (limited to 'openbsc/src/gprs')
-rw-r--r-- | openbsc/src/gprs/gprs_gmm.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c index e07180272..817092e31 100644 --- a/openbsc/src/gprs/gprs_gmm.c +++ b/openbsc/src/gprs/gprs_gmm.c @@ -626,7 +626,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, /* MS network capability 10.5.5.12 */ msnc_len = *cur++; msnc = cur; - if (msnc_len > 2) + if (msnc_len > 8) goto err_inval; cur += msnc_len; @@ -657,6 +657,8 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, /* MS Radio Access Capability 10.5.5.12a */ ms_ra_acc_cap_len = *cur++; ms_ra_acc_cap = cur; + if (ms_ra_acc_cap_len > 51) + goto err_inval; /* Optional: Old P-TMSI Signature, Requested READY timer, TMSI Status */ |