From: Rameshkumar Sundaram <quic_ramess@quicinc.com>
Date: Tue, 1 Apr 2025 19:15:36 +0000 (+0530)
Subject: AP MLD: Clear rejected links in wpa_state_machine
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d0a78255dfb5776c786f1c41d5ad74aa62d4a169;p=thirdparty%2Fhostap.git

AP MLD: Clear rejected links in wpa_state_machine

When a non-AP MLD requests ML association, the wpa_state_machine
(sta->wpa_sm) object for the STA is created while processing IEs of the
link in which the (Re)Association Request frame is received and all link
information is updated to sm->mld_links[].

Later while processing STA profiles, links that don't satisfy the
necessary conditions for the affiliated AP of the AP MLD to accept the
links will be rejected, but these links are still marked as valid in
wpa_sm. This results in unnecessary link KDE mismatch in EAPOL 2/4 and
additional Group KDEs in EAPOL 3/4.

Reset the valid flag of rejected links in wpa_sm and release its wpa
group references.

Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
---

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 7d207fcde..7a33dd487 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4885,6 +4885,8 @@ out:
 
 	wpa_printf(MSG_DEBUG, "MLD: link: status=%u", status);
 	if (status != WLAN_STATUS_SUCCESS) {
+		wpa_release_link_auth_ref(origin_sta->wpa_sm,
+					  hapd->mld_link_id);
 		if (sta)
 			ap_free_sta(hapd, sta);
 		return -1;
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index a27a66a07..fb9a74a87 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -125,17 +125,23 @@ static void wpa_gkeydone_sta(struct wpa_state_machine *sm)
 
 #ifdef CONFIG_IEEE80211BE
 
-void wpa_release_link_auth_ref(struct wpa_state_machine *sm,
-			       int release_link_id)
+void wpa_release_link_auth_ref(struct wpa_state_machine *sm, u8 link_id)
 {
-	int link_id;
+	struct wpa_authenticator *wpa_auth;
+	struct mld_link *link;
 
-	if (!sm || release_link_id >= MAX_NUM_MLD_LINKS)
+	if (!sm || link_id >= MAX_NUM_MLD_LINKS)
 		return;
 
-	for_each_sm_auth(sm, link_id) {
-		if (link_id == release_link_id)
-			sm->mld_links[link_id].wpa_auth = NULL;
+	link = &sm->mld_links[link_id];
+	if (link->valid) {
+		link->valid = false;
+		wpa_auth = link->wpa_auth;
+		if (wpa_auth) {
+			link->wpa_auth = NULL;
+			wpa_group_put(wpa_auth, wpa_auth->group);
+		}
+		sm->n_mld_affiliated_links--;
 	}
 }
 
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 140eeac79..1de467e01 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -683,8 +683,7 @@ void wpa_auth_ml_get_key_info(struct wpa_authenticator *a,
 			      bool mgmt_frame_prot, bool beacon_prot,
 			      bool rekey);
 
-void wpa_release_link_auth_ref(struct wpa_state_machine *sm,
-			       int release_link_id);
+void wpa_release_link_auth_ref(struct wpa_state_machine *sm, u8 link_id);
 
 #define for_each_sm_auth(sm, link_id) \
 	for (link_id = 0; link_id < MAX_NUM_MLD_LINKS; link_id++)	\