Skip to content

Commit

Permalink
gmm: Fix reject small size RAU request
Browse files Browse the repository at this point in the history
A RAU Request can actually be 14 bytes long:
"""
GSM A-I/F DTAP - Routing Area Update Request
    Protocol Discriminator: GPRS mobility management messages (8)
        .... 1000 = Protocol discriminator: GPRS mobility management messages (0x8)
        0000 .... = Skip Indicator: No indication of selected PLMN (0)
    DTAP GPRS Mobility Management Message Type: Routing Area Update Request (0x08)
    Update Type
        .... 0... = Follow-on request pending: False
        .... .000 = Update type: RA updating (0)
    Ciphering Key Sequence Number
        0... .... = Spare bit(s): 0
        .111 .... = key sequence: No key is available (MS to network) (7)
    Routing Area Identification - Old routing area identification - RAI: 262-42-13135-0
        Routing area identification: 262-42-13135-0
            Mobile Country Code (MCC): Germany (262)
            Mobile Network Code (MNC): Vodafone GmbH (42)
            Location Area Code (LAC): 0x334f (13135)
            Routing Area Code (RAC): 0x00 (0)
    MS Radio Access Capability
        Length: 4
        MS RA capability 1
            0001 .... = Access Technology Type: GSM E --note that GSM E covers GSM P (1)
            .... 0001  111. .... = Length in bits: 0x0f (15)
            ...0 01.. RF Power Capability, GMSK Power Class: Not specified (1)
            A5 Bits: Same values apply for parameters as in the immediately preceding Access capabilities field within this IE (0)
            .... ...1 = Controlled early Classmark Sending: Implemented
            0... .... = Pseudo Synchronisation: Not Present
            .0.. .... = Voice Group Call Service: no VGCS capability or no notifications wanted
            ..0. .... = Voice Broadcast Service: no VBS capability or no notifications wanted
            ...1 .... = Multislot capability struct: Present
                HSCSD multislot class: Bits are not available (0)
                GPRS multislot class: Bits are not available (0)
                SMS_VALUE (Switch-Measure-Switch): Bits are not available (0)
                ECSD multislot class: Bits are not available (0)
                EGPRS multislot class: Bits are not available (0)
                DTM GPRS Multi Slot Class: Bits are not available (0)
"""

Change-Id: I49210a04b16e6e2fc9d799b99c2fa415f28ddbba
  • Loading branch information
pespin authored and lynxis committed Nov 25, 2024
1 parent 11854f5 commit b69e326
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/sgsn/gprs_gmm_util.c
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,9 @@ int gprs_gmm_parse_ra_upd_req(struct msgb *msg, struct gprs_gmm_ra_upd_req *rau_

memset(rau_req, 0, sizeof(struct gprs_gmm_ra_upd_req));

/* all mandatory fields + variable length MS Radio Cap (min value) */
if (msgb_l3len(msg) < 16)
/* all mandatory fields + variable length MS Radio Cap (min value) would be 15 bytes.
* But even short radio capabilities we should handle with 14 bytes */
if (msgb_l3len(msg) < 14)
return GMM_CAUSE_PROTO_ERR_UNSPEC;

gh = (struct gsm48_hdr *) msgb_gmmh(msg);
Expand Down

0 comments on commit b69e326

Please sign in to comment.