MLD: Fix Multi-Link element parsing for association failures

The Common Info and STA Info fields are supposed to be extensible and as
such, their length fields need to be verified to be large enough, but if
there are unknown extra fields after the known fields, those need to be
silently ignored instead of rejecting the element.

Fixes: 5af986c75af4 ("MLD: Also mark links as failed after association failure")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 3ae17ace4676850c07337cdca69e50027a31db51..a6b25a86f2e67debd0303d6db98c7992879f1f72 100644 (file)
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -3991,7 +3991,7 @@ static unsigned int wpas_ml_parse_assoc(struct wpa_supplicant *wpa_s,
        }
 
        common_info = (struct eht_ml_basic_common_info *) ml->variable;
-       if (common_info->len != expected_common_info_len) {
+       if (common_info->len < expected_common_info_len) {
                wpa_printf(MSG_DEBUG,
                           "MLD: Invalid common info len=%u. expected=%u",
                           common_info->len, expected_common_info_len);
@@ -4132,12 +4132,13 @@ static unsigned int wpas_ml_parse_assoc(struct wpa_supplicant *wpa_s,
                sta_info_len = 1 + ETH_ALEN + 8 + 2 + 2 + 1 + nstr_bitmap_len;
                if (sta_info_len > ml_len || sta_info_len > end - pos ||
                    sta_info_len + 2 > sub_elem_len ||
-                   sta_info_len != *pos) {
+                   sta_info_len > *pos) {
                        wpa_printf(MSG_DEBUG,
                                   "MLD: Invalid STA info len=%u, len=%u",
                                   sta_info_len, *pos);
                        goto out;
                }
+               sta_info_len = *pos;
 
                /* Get the link address */
                wpa_printf(MSG_DEBUG,