gprs: Fix segfault on attach caused by MS Radio Access Capability larger than 14 octets

Newer phones are using a MS Radio Access Capability larger than the 14 octets specified in 04.08 Release 1998 (up to 50 octets in Rel 9). This caused the SGSN to crash since it only allocated storage for 14 octets but tried to store up to 51 octets. TS 23.060 version 9.7.0 Release 9 section 6.14.1.1 states: To allow for the addition of future radio technologies, frequency bands, and other enhancements, the SGSN shall store the MS radio access capability even if it is larger than specified in TS 24.008 [13], up to a maximum size of 255 octets.
2011-06-10 13:16:20 -04:00 · 2011-06-10 13:16:20 -04:00 · dbf8411b2f
parent bab770e493
commit dbf8411b2f
2 changed files with 3 additions and 3 deletions
--- a/include/openbsc/gprs_sgsn.h
+++ b/include/openbsc/gprs_sgsn.h
@ -50,7 +50,7 @@ enum gprs_t3350_mode {
 	GMM_T3350_MODE_PTMSI_REALL,
 };

-#define MS_RADIO_ACCESS_CAPA
+#define MS_RADIO_ACCESS_CAPA_MAX_LENGTH 255

 /* According to TS 03.60, Table 5: SGSN MM and PDP Contexts */
 /* Extended by 3GPP TS 23.060, Table 6: SGSN MM and PDP Contexts */
@ -78,7 +78,7 @@ struct sgsn_mm_ctx {
 	/* CKSN */
 	enum gprs_ciph_algo	ciph_algo;
 	struct {
-		uint8_t	buf[14];	/* 10.5.5.12a */
+		uint8_t	buf[MS_RADIO_ACCESS_CAPA_MAX_LENGTH];	/* 10.5.5.12a */
 		uint8_t	len;
 	} ms_radio_access_capa;
 	struct {
--- a/src/gprs/gprs_gmm.c
+++ b/src/gprs/gprs_gmm.c
@ -675,7 +675,7 @@ static int gsm48_rx_gmm_att_req(struct sgsn_mm_ctx *ctx, struct msgb *msg,
 	/* MS Radio Access Capability 10.5.5.12a */
 	ms_ra_acc_cap_len = *cur++;
 	ms_ra_acc_cap = cur;
-	if (ms_ra_acc_cap_len > 51)
+	if (ms_ra_acc_cap_len > MS_RADIO_ACCESS_CAPA_MAX_LENGTH)
 		goto err_inval;

 	/* Optional: Old P-TMSI Signature, Requested READY timer, TMSI Status */