laforge submitted this change.
gprs_sm: gsm48_tx_gsm_act_pdp_acc(): fix QoS profile length
The Activate PDP Context Accept was always sending sizeof(default_qos)
(14 bytes) as the QoS profile length, regardless of what the UE
requested. Older modules such as the Air20X may crash and restart
during PDP attachment because of that.
In GTP, qos_req.l encodes 1 ARP byte followed by the QoS profile
octets, so (qos_req.l - 1) is the actual profile length. Mirror
back the same QoS profile length the UE sent in its request,
capped at sizeof(default_qos) to avoid overrunning the default_qos
buffer. This matters in particular for R97/R98 UEs that send a
3-byte QoS profile and should not receive a 14-byte response.
Change-Id: I11c24b64f0e49cf80c825969dbf018b2948d855c
Related: OS#6922
---
M src/sgsn/gprs_sm.c
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/sgsn/gprs_sm.c b/src/sgsn/gprs_sm.c
index bcf2923..4f55b57 100644
--- a/src/sgsn/gprs_sm.c
+++ b/src/sgsn/gprs_sm.c
@@ -206,7 +206,16 @@
/* FIXME: copy QoS parameters from original request */
//msgb_lv_put(msg, pdp->lib->qos_neg.l, pdp->lib->qos_neg.v);
- msgb_lv_put(msg, sizeof(default_qos), (uint8_t *)&default_qos);
+
+ /* qos_req.l is encoded as 1 (ARP byte) + N QoS profile bytes in GTP.
+ * Mirror back the same QoS profile length the UE requested, capped at
+ * sizeof(default_qos) (14 bytes, covering up to R99/R7 QoS format). */
+ uint8_t qos_len = sizeof(default_qos);
+ if (pdp->lib->qos_req.l > 1)
+ qos_len = pdp->lib->qos_req.l - 1;
+ if (qos_len > sizeof(default_qos))
+ qos_len = sizeof(default_qos);
+ msgb_lv_put(msg, qos_len, (uint8_t *)&default_qos);
/* Radio priority 10.5.7.2 */
msgb_v_put(msg, pdp->lib->radio_pri);
To view, visit change 42050. To unsubscribe, or for help writing mail filters, visit settings.