Hi jolly,
I'm seeing some strange behavior on the BTS side LAPDm code:
When we get a SABM on SAPI=3 from the phone, this gets translated into an RSL_RLL_EST_IND. However, as there commonly is no l3 payload in a SAPI=3 SABM, the L3_INFO IE should not be present in that message.
Instead of a RLL_EST_IND without L3_INFO IE, we get a L3_INFO IE that consists only of 1 byte tag and 2 byte length, but not payload. The Length value seems non-deterministic, i.e. like uninitialized memory.
I've tried to resolve this, and I suspect it is somehow related to the DUMMY msgb that the lapd code allocates (why is it doing that?) in send_dl_simple().
The code path should be:
lapd_rx_u() if (length == 0) send_dl_simple() send_rslms_dlsap() here we check for (!dp->oph.msg), but since there is a dummy msgb, we probably run into the send_rslms_rll_l3() case instead of send_rll_simple().
What do you think is the best way to resolve this?
Thanks, Harald