[PATCH 2/4] gsm0480: Fix handling GSM0480_MTYPE_FACILITY, it has only LV and facility_ie

Holger Freyther holger at freyther.de
Fri Apr 22 14:34:13 UTC 2016


> On 22 Apr 2016, at 14:41, Sergey Kostanbaev <sergey.kostanbaev at gmail.com> wrote:
> 
> +	case GSM0480_MTYPE_FACILITY:
> +		rc &= parse_ss_facility(&hdr->data[0], len - sizeof(*hdr), req);
> +		break;
> 	default:
> 		LOGP(0, LOGL_DEBUG, "Unknown GSM 04.80 message-type field 0x%02x\n",
> 			hdr->msg_type);
> @@ -284,6 +288,18 @@ static int parse_ss(const struct gsm48_hdr *hdr, uint16_t len, struct ss_request
> 	return rc;
> }
> 
> +static int parse_ss_facility(const uint8_t *ss_facility, uint16_t len,
> +			     struct ss_request *req)
> +{
> +	uint8_t facility_length;
> +
> +	facility_length = ss_facility[0];
> +	if (len - 1 < facility_length)
> +		return 0;
> +
> +	return parse_facility_ie(ss_facility + 1, facility_length, req);
> +}
> +
> static int parse_ss_info_elements(const uint8_t *ss_ie, uint16_t len,
> 				  struct ss_request *req)


same as with the previous commit. There is no guarantee that original_len - sizeof(*hdr) > 1 (as that was removed). So len - 1 can be UINT16_MAX here?




More information about the OpenBSC mailing list