From: Pooventhiran G Date: Fri, 11 Apr 2025 11:28:34 +0000 (+0530) Subject: nl80211: Defragment MLE subelements in CONNECT event parsing X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6f9597d1fceba4b8f60e5d4897de00d6de96f29;p=thirdparty%2Fhostap.git nl80211: Defragment MLE subelements in CONNECT event parsing While parsing the Multi-Link element in CONNECT event, subelements carried in the Multi-Link element are not defragmented. Fix this by defragmenting the subelement before processing to avoid parsing issues. Fixes: cc2236299f99 ("nl80211: Get all requested MLO links information from (re)association events") Reviewed-by: Rohan Dutta Signed-off-by: Pooventhiran G --- diff --git a/src/drivers/driver_nl80211_event.c b/src/drivers/driver_nl80211_event.c index 40555c957..46e54009d 100644 --- a/src/drivers/driver_nl80211_event.c +++ b/src/drivers/driver_nl80211_event.c @@ -585,11 +585,13 @@ struct links_info { }; -static void nl80211_get_basic_mle_links_info(const u8 *mle, size_t mle_len, +static void nl80211_get_basic_mle_links_info(struct wpabuf *mlbuf, struct links_info *info) { size_t rem_len; const u8 *pos; + const u8 *mle = wpabuf_head(mlbuf); + size_t mle_len = wpabuf_len(mlbuf); if (mle_len < MULTI_LINK_CONTROL_LEN + 1 || mle_len - MULTI_LINK_CONTROL_LEN < mle[MULTI_LINK_CONTROL_LEN]) @@ -602,7 +604,20 @@ static void nl80211_get_basic_mle_links_info(const u8 *mle, size_t mle_len, /* Parse Subelements */ while (rem_len > 2) { - size_t ie_len = 2 + pos[1]; + size_t ie_len, subelem_defrag_len; + int num_frag_subelems; + + num_frag_subelems = + ieee802_11_defrag_mle_subelem(mlbuf, pos, + &subelem_defrag_len); + if (num_frag_subelems < 0) { + wpa_printf(MSG_DEBUG, + "nl80211: Failed to parse MLE subelem"); + break; + } + + ie_len = 2 + subelem_defrag_len; + rem_len -= num_frag_subelems * 2; if (rem_len < ie_len) break; @@ -612,7 +627,8 @@ static void nl80211_get_basic_mle_links_info(const u8 *mle, size_t mle_len, const u8 *sta_profile; u16 sta_ctrl; - if (pos[1] < BASIC_MLE_STA_PROF_STA_MAC_IDX + ETH_ALEN) + if (subelem_defrag_len < + BASIC_MLE_STA_PROF_STA_MAC_IDX + ETH_ALEN) goto next_subelem; sta_profile = &pos[2]; @@ -668,8 +684,7 @@ static int nl80211_update_rejected_links_info(struct driver_sta_mlo_info *mlo, return -1; } os_memset(&req_info, 0, sizeof(req_info)); - nl80211_get_basic_mle_links_info(wpabuf_head(mle), wpabuf_len(mle), - &req_info); + nl80211_get_basic_mle_links_info(mle, &req_info); wpabuf_free(mle); mle = ieee802_11_defrag(resp_elems.basic_mle, resp_elems.basic_mle_len, @@ -680,8 +695,7 @@ static int nl80211_update_rejected_links_info(struct driver_sta_mlo_info *mlo, return -1; } os_memset(&resp_info, 0, sizeof(resp_info)); - nl80211_get_basic_mle_links_info(wpabuf_head(mle), wpabuf_len(mle), - &resp_info); + nl80211_get_basic_mle_links_info(mle, &resp_info); wpabuf_free(mle); if (req_info.non_assoc_links != resp_info.non_assoc_links) {