AP MLD: Defragment MLE subelements in (Re)Association Request

The subelements carried within a Multi-Link element can pack more than
255 bytes, and this is achieved using Fragment subelement similar to how
the Multi-Link element uses Fragment element. However, the current
implementation does not defragment the Fragment subelements and hence
when encountered, parsing fails leading to failing connection.

Fix this by defragmenting the subelements before processing to get a
complete stream of subelement data.

Fixes: 7a7a2256c0ea ("common: Support parsing link specific association request")
Fixes: 5f5db9366cde ("AP: MLO: Process Multi-Link element from (Re)Association Request frame")
Co-developed-by: Rohan Dutta <quic_drohan@quicinc.com>
Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>

diff --git a/src/ap/ieee802_11_eht.c b/src/ap/ieee802_11_eht.c
index 577fa563b0481283d108399c461b5c3ec16a573d..b61a94fa8a2fa9eab7ff1dea7c782c6180dde8ec 100644 (file)
--- a/src/ap/ieee802_11_eht.c
+++ b/src/ap/ieee802_11_eht.c
@@ -1278,13 +1278,26 @@ u16 hostapd_process_ml_assoc_req(struct hostapd_data *hapd,
         * length Common Info field. */
        pos = end;
        while (ml_end - pos > 2) {
-               size_t sub_elem_len = *(pos + 1);
-               size_t sta_info_len;
+               size_t sub_elem_len, sta_info_len;
                u16 control;
                const u8 *sub_elem_end;
+               int num_frag_subelems;
 
-               wpa_printf(MSG_DEBUG, "MLD: sub element len=%zu",
-                          sub_elem_len);
+               num_frag_subelems =
+                       ieee802_11_defrag_mle_subelem(mlbuf, pos,
+                                                     &sub_elem_len);
+               if (num_frag_subelems < 0) {
+                       wpa_printf(MSG_DEBUG,
+                                  "MLD: Failed to parse MLE subelem");
+                       goto out;
+               }
+
+               ml_len -= num_frag_subelems * 2;
+               ml_end = ((const u8 *) ml) + ml_len;
+
+               wpa_printf(MSG_DEBUG,
+                          "MLD: sub element len=%zu, Fragment subelems=%u",
+                          sub_elem_len, num_frag_subelems);
 
                if (2 + sub_elem_len > (size_t) (ml_end - pos)) {
                        wpa_printf(MSG_DEBUG,

diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index 1adb08eaf49f0d760c426ae315501206ed5b840d..838869a0363bb0bf6409ddcb3806f41c2edc68eb 100644 (file)
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -1016,14 +1016,25 @@ ParseRes ieee802_11_parse_link_assoc_req(struct ieee802_11_elems *elems,
        pos += sizeof(*ml) + pos[sizeof(*ml)];
 
        while (len > 2) {
-               size_t sub_elem_len = *(pos + 1);
-               size_t sta_info_len;
+               size_t sub_elem_len, sta_info_len;
                u16 link_info_control;
                const u8 *non_inherit;
+               int num_frag_subelems;
+
+               num_frag_subelems =
+                       ieee802_11_defrag_mle_subelem(mlbuf, pos,
+                                                     &sub_elem_len);
+               if (num_frag_subelems < 0) {
+                       wpa_printf(MSG_DEBUG,
+                                  "MLD: Failed to parse MLE subelem");
+                       goto out;
+               }
+
+               len -= num_frag_subelems * 2;
 
                wpa_printf(MSG_DEBUG,
-                          "MLD: sub element: len=%zu, sub_elem_len=%zu",
-                          len, sub_elem_len);
+                          "MLD: sub element: len=%zu, sub_elem_len=%zu, Fragment subelems=%u",
+                          len, sub_elem_len, num_frag_subelems);
 
                if (2 + sub_elem_len > len) {
                        if (show_errors)