From: Pooventhiran G Date: Fri, 11 Apr 2025 11:28:33 +0000 (+0530) Subject: AP MLD: Defragment MLE subelements while updating Link Status X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d6565b7069257d4709410f4ded7882ec0e83f287;p=thirdparty%2Fhostap.git AP MLD: Defragment MLE subelements while updating Link Status While updating link status from the (Re)Association Response frame elements, subelements carried in the Multi-Link element are not defragged. Fix this by defragmenting the subelement before processing to avoid parsing issues. Fixes: d320692d918a ("AP MLD: Handle new STA event when using SME offload to the driver") Reviewed-by: Rohan Dutta Signed-off-by: Pooventhiran G --- diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c index 9c2dede21..f3aeb2236 100644 --- a/src/ap/drv_callbacks.c +++ b/src/ap/drv_callbacks.c @@ -189,7 +189,20 @@ static int hostapd_update_sta_links_status(struct hostapd_data *hapd, /* Parse Subelements */ while (rem_len > 2) { - size_t ie_len = 2 + pos[1]; + size_t ie_len, subelem_defrag_len; + int num_frag_subelems; + + num_frag_subelems = + ieee802_11_defrag_mle_subelem(mlebuf, pos, + &subelem_defrag_len); + if (num_frag_subelems < 0) { + wpa_printf(MSG_DEBUG, + "MLD: Failed to parse MLE subelem"); + break; + } + + ie_len = 2 + subelem_defrag_len; + rem_len -= num_frag_subelems * 2; if (rem_len < ie_len) break; @@ -200,13 +213,13 @@ static int hostapd_update_sta_links_status(struct hostapd_data *hapd, size_t sta_profile_len; u16 sta_ctrl; - if (pos[1] < BASIC_MLE_STA_CTRL_LEN + 1) { + if (subelem_defrag_len < BASIC_MLE_STA_CTRL_LEN + 1) { wpa_printf(MSG_DEBUG, "MLO: Invalid per-STA profile IE"); goto next_subelem; } - sta_profile_len = pos[1]; + sta_profile_len = subelem_defrag_len; sta_profile = &pos[2]; sta_ctrl = WPA_GET_LE16(sta_profile); link_id = sta_ctrl & BASIC_MLE_STA_CTRL_LINK_ID_MASK;