From a2f74b847782a2578fe5b0a79f5479379493d4ba Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@netfilter.org>
Date: Wed, 16 Dec 2009 16:49:21 +0100
Subject: [PATCH] 04.08: fix off-by-one error while parsing measurement results

---
 openbsc/src/gsm_04_08.c | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/openbsc/src/gsm_04_08.c b/openbsc/src/gsm_04_08.c
index ef29b29cc..0815d6dde 100644
--- a/openbsc/src/gsm_04_08.c
+++ b/openbsc/src/gsm_04_08.c
@@ -190,47 +190,47 @@ int gsm48_parse_meas_rep(struct gsm_meas_rep *rep, struct msgb *msg)
 	rep->dl.full.rx_qual = (data[3] >> 4) & 0x7;
 	rep->dl.sub.rx_qual = (data[3] >> 1) & 0x7;
 
-	rep->num_cell = data[4] >> 6 | ((data[3] & 0x01) << 2);
+	rep->num_cell = ((data[3] >> 6) & 0x3) | ((data[2] & 0x01) << 2);
 	if (rep->num_cell < 1)
 		return 0;
 
 	/* an encoding nightmare in perfection */
 
-	rep->cell[0].rxlev = data[4] & 0x3f;
-	rep->cell[0].arfcn = bitvec_get_nth_set_bit(nbv, data[5] >> 2);
-	rep->cell[0].bsic = ((data[5] & 0x03) << 3) | (data[6] >> 5);
+	rep->cell[0].rxlev = data[3] & 0x3f;
+	rep->cell[0].arfcn = bitvec_get_nth_set_bit(nbv, data[4] >> 2);
+	rep->cell[0].bsic = ((data[4] & 0x03) << 3) | (data[5] >> 5);
 	if (rep->num_cell < 2)
 		return 0;
 
-	rep->cell[1].rxlev = ((data[6] & 0x1f) << 1) | (data[7] >> 7);
-	rep->cell[1].arfcn = bitvec_get_nth_set_bit(nbv, (data[7] >> 2) & 0x1f);
-	rep->cell[1].bsic = ((data[7] & 0x03) << 4) | (data[8] >> 4);
+	rep->cell[1].rxlev = ((data[5] & 0x1f) << 1) | (data[6] >> 7);
+	rep->cell[1].arfcn = bitvec_get_nth_set_bit(nbv, (data[6] >> 2) & 0x1f);
+	rep->cell[1].bsic = ((data[6] & 0x03) << 4) | (data[7] >> 4);
 	if (rep->num_cell < 3)
 		return 0;
 
-	rep->cell[2].rxlev = ((data[8] & 0x0f) << 2) | (data[9] >> 6);
-	rep->cell[2].arfcn = bitvec_get_nth_set_bit(nbv, (data[9] >> 1) & 0x1f);
-	rep->cell[2].bsic = ((data[9] & 0x01) << 6) | (data[10] >> 3);
+	rep->cell[2].rxlev = ((data[7] & 0x0f) << 2) | (data[8] >> 6);
+	rep->cell[2].arfcn = bitvec_get_nth_set_bit(nbv, (data[8] >> 1) & 0x1f);
+	rep->cell[2].bsic = ((data[8] & 0x01) << 6) | (data[9] >> 3);
 	if (rep->num_cell < 4)
 		return 0;
 
-	rep->cell[3].rxlev = ((data[10] & 0x07) << 3) | (data[11] >> 5);
-	rep->cell[3].arfcn = bitvec_get_nth_set_bit(nbv, data[11] & 0x1f);
-	rep->cell[3].bsic = data[12] >> 2;
+	rep->cell[3].rxlev = ((data[9] & 0x07) << 3) | (data[10] >> 5);
+	rep->cell[3].arfcn = bitvec_get_nth_set_bit(nbv, data[10] & 0x1f);
+	rep->cell[3].bsic = data[11] >> 2;
 	if (rep->num_cell < 5)
 		return 0;
 
-	rep->cell[4].rxlev = ((data[12] & 0x03) << 4) | (data[13] >> 4);
+	rep->cell[4].rxlev = ((data[11] & 0x03) << 4) | (data[12] >> 4);
 	rep->cell[4].arfcn = bitvec_get_nth_set_bit(nbv,
-				((data[13] & 0xf) << 1) | (data[14] >> 7));
-	rep->cell[4].bsic = (data[14] >> 1) & 0x3f;
+				((data[12] & 0xf) << 1) | (data[13] >> 7));
+	rep->cell[4].bsic = (data[13] >> 1) & 0x3f;
 	if (rep->num_cell < 6)
 		return 0;
 
-	rep->cell[5].rxlev = ((data[14] & 0x01) << 5) | (data[15] >> 3);
+	rep->cell[5].rxlev = ((data[13] & 0x01) << 5) | (data[14] >> 3);
 	rep->cell[5].arfcn = bitvec_get_nth_set_bit(nbv,
-				((data[15] & 0x07) << 2) | (data[16] >> 6));
-	rep->cell[5].bsic = data[16] & 0x3f;
+				((data[14] & 0x07) << 2) | (data[15] >> 6));
+	rep->cell[5].bsic = data[15] & 0x3f;
 
 	return 0;
 }