From 0d544e7db5f65ff79bb0436a109576b6e82ec4ee Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@netfilter.org>
Date: Mon, 10 Aug 2009 00:22:19 +0200
Subject: [PATCH] fix off-by-one error in calculating RPDU length for
 CP-USER-DATA IE

---
 openbsc/src/gsm_04_11.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/openbsc/src/gsm_04_11.c b/openbsc/src/gsm_04_11.c
index 9a5a08cde..728574ad7 100644
--- a/openbsc/src/gsm_04_11.c
+++ b/openbsc/src/gsm_04_11.c
@@ -121,10 +121,11 @@ static int gsm411_rp_sendmsg(struct msgb *msg, struct gsm_trans *trans,
 			     u_int8_t rp_msg_type, u_int8_t rp_msg_ref)
 {
 	struct gsm411_rp_hdr *rp;
+	u_int8_t len = msg->len;
 
 	/* GSM 04.11 RP-DATA header */
 	rp = (struct gsm411_rp_hdr *)msgb_push(msg, sizeof(*rp));
-	rp->len = msg->len;
+	rp->len = len + 2;
 	rp->msg_type = rp_msg_type;
 	rp->msg_ref = rp_msg_ref; /* FIXME: Choose randomly */