From b69e326e69d5b423b4727b144d40ef3ed58adc6d Mon Sep 17 00:00:00 2001 From: Pau Espin Pedrol Date: Tue, 19 Nov 2024 19:52:48 +0100 Subject: [PATCH] gmm: Fix reject small size RAU request A RAU Request can actually be 14 bytes long: """ GSM A-I/F DTAP - Routing Area Update Request Protocol Discriminator: GPRS mobility management messages (8) .... 1000 = Protocol discriminator: GPRS mobility management messages (0x8) 0000 .... = Skip Indicator: No indication of selected PLMN (0) DTAP GPRS Mobility Management Message Type: Routing Area Update Request (0x08) Update Type .... 0... = Follow-on request pending: False .... .000 = Update type: RA updating (0) Ciphering Key Sequence Number 0... .... = Spare bit(s): 0 .111 .... = key sequence: No key is available (MS to network) (7) Routing Area Identification - Old routing area identification - RAI: 262-42-13135-0 Routing area identification: 262-42-13135-0 Mobile Country Code (MCC): Germany (262) Mobile Network Code (MNC): Vodafone GmbH (42) Location Area Code (LAC): 0x334f (13135) Routing Area Code (RAC): 0x00 (0) MS Radio Access Capability Length: 4 MS RA capability 1 0001 .... = Access Technology Type: GSM E --note that GSM E covers GSM P (1) .... 0001 111. .... = Length in bits: 0x0f (15) ...0 01.. RF Power Capability, GMSK Power Class: Not specified (1) A5 Bits: Same values apply for parameters as in the immediately preceding Access capabilities field within this IE (0) .... ...1 = Controlled early Classmark Sending: Implemented 0... .... = Pseudo Synchronisation: Not Present .0.. .... = Voice Group Call Service: no VGCS capability or no notifications wanted ..0. .... = Voice Broadcast Service: no VBS capability or no notifications wanted ...1 .... = Multislot capability struct: Present HSCSD multislot class: Bits are not available (0) GPRS multislot class: Bits are not available (0) SMS_VALUE (Switch-Measure-Switch): Bits are not available (0) ECSD multislot class: Bits are not available (0) EGPRS multislot class: Bits are not available (0) DTM GPRS Multi Slot Class: Bits are not available (0) """ Change-Id: I49210a04b16e6e2fc9d799b99c2fa415f28ddbba --- src/sgsn/gprs_gmm_util.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/sgsn/gprs_gmm_util.c b/src/sgsn/gprs_gmm_util.c index 4a59c37cf..4f616692e 100644 --- a/src/sgsn/gprs_gmm_util.c +++ b/src/sgsn/gprs_gmm_util.c @@ -79,8 +79,9 @@ int gprs_gmm_parse_ra_upd_req(struct msgb *msg, struct gprs_gmm_ra_upd_req *rau_ memset(rau_req, 0, sizeof(struct gprs_gmm_ra_upd_req)); - /* all mandatory fields + variable length MS Radio Cap (min value) */ - if (msgb_l3len(msg) < 16) + /* all mandatory fields + variable length MS Radio Cap (min value) would be 15 bytes. + * But even short radio capabilities we should handle with 14 bytes */ + if (msgb_l3len(msg) < 14) return GMM_CAUSE_PROTO_ERR_UNSPEC; gh = (struct gsm48_hdr *) msgb_gmmh(msg);