From eb2730e646aa5f38614c8a145088445f0cd67eca Mon Sep 17 00:00:00 2001 From: Jonathan Santos Date: Fri, 10 Jun 2011 15:22:11 -0400 Subject: gprs: Fix possible segfault on attach caused by MS Network Capability larger than 4 octets The SGSN was allowing MS Network Capability of up to 8 octets, but only allocating storage for 4 octets. TS 23.060 version 9.7.0 Release 9 section 6.14.2 states: To allow for the addition of future features, the SGSN shall store the UE Network Capability and the MS Network Capability even if either or both is larger than specified in TS 24.008 [13]/TS 24.301 [102], up to a maximum size of 32 octets for each IE. --- src/gprs/gprs_gmm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/gprs') diff --git a/src/gprs/gprs_gmm.c b/src/gprs/gprs_gmm.c index 40733b102..cf6cecf91 100644 --- a/src/gprs/gprs_gmm.c +++ b/src/gprs/gprs_gmm.c @@ -644,7 +644,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg, /* MS network capability 10.5.5.12 */ msnc_len = *cur++; msnc = cur; - if (msnc_len > 8) + if (msnc_len > MS_NETWORK_CAPA_MAX_LENGTH) goto err_inval; cur += msnc_len; -- cgit v1.2.3