laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-sgsn/+/42050?usp=email )

Change subject: gprs_sm: gsm48_tx_gsm_act_pdp_acc(): fix QoS profile length ......................................................................

gprs_sm: gsm48_tx_gsm_act_pdp_acc(): fix QoS profile length

The Activate PDP Context Accept was always sending sizeof(default_qos) (14 bytes) as the QoS profile length, regardless of what the UE requested. Older modules such as the Air20X may crash and restart during PDP attachment because of that.

In GTP, qos_req.l encodes 1 ARP byte followed by the QoS profile octets, so (qos_req.l - 1) is the actual profile length. Mirror back the same QoS profile length the UE sent in its request, capped at sizeof(default_qos) to avoid overrunning the default_qos buffer. This matters in particular for R97/R98 UEs that send a 3-byte QoS profile and should not receive a 14-byte response.

Change-Id: I11c24b64f0e49cf80c825969dbf018b2948d855c Related: OS#6922 --- M src/sgsn/gprs_sm.c 1 file changed, 10 insertions(+), 1 deletion(-)

Approvals: Jenkins Builder: Verified lynxis lazus: Looks good to me, approved laforge: Looks good to me, approved

diff --git a/src/sgsn/gprs_sm.c b/src/sgsn/gprs_sm.c index bcf2923..4f55b57 100644 --- a/src/sgsn/gprs_sm.c +++ b/src/sgsn/gprs_sm.c @@ -206,7 +206,16 @@

/* FIXME: copy QoS parameters from original request */ //msgb_lv_put(msg, pdp->lib->qos_neg.l, pdp->lib->qos_neg.v); - msgb_lv_put(msg, sizeof(default_qos), (uint8_t *)&default_qos); + + /* qos_req.l is encoded as 1 (ARP byte) + N QoS profile bytes in GTP. + * Mirror back the same QoS profile length the UE requested, capped at + * sizeof(default_qos) (14 bytes, covering up to R99/R7 QoS format). */ + uint8_t qos_len = sizeof(default_qos); + if (pdp->lib->qos_req.l > 1) + qos_len = pdp->lib->qos_req.l - 1; + if (qos_len > sizeof(default_qos)) + qos_len = sizeof(default_qos); + msgb_lv_put(msg, qos_len, (uint8_t *)&default_qos);

/* Radio priority 10.5.7.2 */ msgb_v_put(msg, pdp->lib->radio_pri);