Hi jolly, I'm seeing some strange behavior on the BTS side LAPDm code: When we get a SABM on SAPI=3 from the phone, this gets translated into an RSL_RLL_EST_IND. However, as there commonly is no l3 payload in a SAPI=3 SABM, the L3_INFO IE should not be present in that message. Instead of a RLL_EST_IND without L3_INFO IE, we get a L3_INFO IE that consists only of 1 byte tag and 2 byte length, but not payload. The Length value seems non-deterministic, i.e. like uninitialized memory. I've tried to resolve this, and I suspect it is somehow related to the DUMMY msgb that the lapd code allocates (why is it doing that?) in send_dl_simple(). The code path should be: lapd_rx_u() if (length == 0) send_dl_simple() send_rslms_dlsap() here we check for (!dp->oph.msg), but since there is a dummy msgb, we probably run into the send_rslms_rll_l3() case instead of send_rll_simple(). What do you think is the best way to resolve this? Thanks, Harald -- - Harald Welte <laforge(a)gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)