From bd33f3d0ef006f03188664159fbcd476068fe656 Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Sun, 30 May 2010 17:19:38 +0200
Subject: [GPRS] NS: correctly pass the NS payload length to the TLV parser

---
 openbsc/src/gprs/gprs_ns.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

(limited to 'openbsc/src')

diff --git a/openbsc/src/gprs/gprs_ns.c b/openbsc/src/gprs/gprs_ns.c
index c5cf962f..3db1d67f 100644
--- a/openbsc/src/gprs/gprs_ns.c
+++ b/openbsc/src/gprs/gprs_ns.c
@@ -564,7 +564,8 @@ static int gprs_ns_rx_status(struct gprs_nsvc *nsvc, struct msgb *msg)
 
 	LOGP(DNS, LOGL_NOTICE, "NSEI=%u Rx NS STATUS ", nsvc->nsei);
 
-	rc = tlv_parse(&tp, &ns_att_tlvdef, nsh->data, msgb_l2len(msg), 0, 0);
+	rc = tlv_parse(&tp, &ns_att_tlvdef, nsh->data,
+			msgb_l2len(msg) - sizeof(*nsh), 0, 0);
 	if (rc < 0) {
 		LOGPC(DNS, LOGL_NOTICE, "Error during TLV Parse\n");
 		LOGP(DNS, LOGL_ERROR, "NSEI=%u Rx NS STATUS: "
@@ -592,7 +593,8 @@ static int gprs_ns_rx_reset(struct gprs_nsvc *nsvc, struct msgb *msg)
 	uint16_t *nsvci, *nsei;
 	int rc;
 
-	rc = tlv_parse(&tp, &ns_att_tlvdef, nsh->data, msgb_l2len(msg), 0, 0);
+	rc = tlv_parse(&tp, &ns_att_tlvdef, nsh->data,
+			msgb_l2len(msg) - sizeof(*nsh), 0, 0);
 	if (rc < 0) {
 		LOGP(DNS, LOGL_ERROR, "NSEI=%u Rx NS RESET "
 			"Error during TLV Parse\n", nsvc->nsei);
@@ -642,7 +644,8 @@ static int gprs_ns_rx_block(struct gprs_nsvc *nsvc, struct msgb *msg)
 
 	nsvc->state |= NSE_S_BLOCKED;
 
-	rc = tlv_parse(&tp, &ns_att_tlvdef, nsh->data, msgb_l2len(msg), 0, 0);
+	rc = tlv_parse(&tp, &ns_att_tlvdef, nsh->data,
+			msgb_l2len(msg) - sizeof(*nsh), 0, 0);
 	if (rc < 0) {
 		LOGP(DNS, LOGL_ERROR, "NSEI=%u Rx NS BLOCK "
 			"Error during TLV Parse\n", nsvc->nsei);
@@ -706,11 +709,10 @@ int gprs_ns_rcvmsg(struct gprs_ns_inst *nsi, struct msgb *msg,
 #endif
 		}
 		rc = tlv_parse(&tp, &ns_att_tlvdef, nsh->data,
-						msgb_l2len(msg), 0, 0);
-		rc = tlv_parse(&tp, &ns_att_tlvdef, nsh->data, msgb_l2len(msg), 0, 0);
+				msgb_l2len(msg) - sizeof(*nsh), 0, 0);
 		if (rc < 0) {
-			LOGP(DNS, LOGL_ERROR, "Rx NS RESET Error during "
-				"TLV Parse\n");
+			LOGP(DNS, LOGL_ERROR, "Rx NS RESET Error %d during "
+				"TLV Parse\n", rc);
 			return rc;
 		}
 		if (!TLVP_PRESENT(&tp, NS_IE_CAUSE) ||
-- 
cgit v1.2.3