From: Pooventhiran G Date: Wed, 18 Jun 2025 19:05:09 +0000 (+0530) Subject: AP MLD: Remove Link STA on Group KDE length check failure X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=307c363964ec5a654325953a51b915af62e7a044;p=thirdparty%2Fhostap.git AP MLD: Remove Link STA on Group KDE length check failure If accepting an add-request in Link Reconfiguration causes the Group KDE Length subfield to exceed max length, the request is rejected, but the link STA will already have been added to the kernel driver. Hence, remove the link STA on max length check failure. Fixes: 60b3884948c6 ("AP MLD: Validate Link Reconfiguration Request frame after parsing") Signed-off-by: Pooventhiran G --- diff --git a/src/ap/ieee802_11_eht.c b/src/ap/ieee802_11_eht.c index ce228469f..19139f3f1 100644 --- a/src/ap/ieee802_11_eht.c +++ b/src/ap/ieee802_11_eht.c @@ -2434,9 +2434,9 @@ hostapd_validate_link_reconf_req(struct hostapd_data *hapd, struct sta_info *sta, struct link_reconf_req_list *req_list) { - struct hostapd_data *assoc_hapd; + struct hostapd_data *assoc_hapd, *lhapd; struct link_reconf_req_info *info; - struct sta_info *assoc_sta; + struct sta_info *assoc_sta, *lsta; struct mld_info *mld_info; u8 recovery_link; u16 valid_links = 0, links_add_ok = 0, links_del_ok = 0, status; @@ -2463,6 +2463,9 @@ hostapd_validate_link_reconf_req(struct hostapd_data *hapd, /* Check IEs for add-link STA profiles */ dl_list_for_each(info, &req_list->add_req, struct link_reconf_req_info, list) { + lhapd = NULL; + lsta = NULL; + wpa_printf(MSG_DEBUG, "MLD: Add Link Reconf STA for link id=%u status=%u", info->link_id, info->status); @@ -2498,6 +2501,14 @@ hostapd_validate_link_reconf_req(struct hostapd_data *hapd, LINK_RECONF_GROUP_KDE_MAX_LEN, info->link_id); status = WLAN_STATUS_UNSPECIFIED_FAILURE; + + lhapd = hostapd_mld_get_link_bss(hapd, info->link_id); + if (lhapd) + lsta = ap_get_sta(lhapd, + req_list->sta_mld_addr); + + if (lsta) + ap_free_sta(lhapd, lsta); } else { total_kde_len += link_kde_len; links_add_ok |= BIT(info->link_id);