From: Jouni Malinen Date: Fri, 23 Aug 2024 15:40:53 +0000 (+0300) Subject: RSNO: Check that RSNOE/RSNO2E/RSNXOE fit into RSN Override Link KDE X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d98417218942d855f3e11051edb3da38d94906c8;p=thirdparty%2Fhostap.git RSNO: Check that RSNOE/RSNO2E/RSNXOE fit into RSN Override Link KDE While these elements fit without issue in production use cases, it is possible to override the elements for testing purposes and if such overridden elements are overly long, they would nto fit into the maximum length RSN Override Link KDE. This could result in difficult to debug failure cases, so check for this explicitly and instead of sending out the invalid M3, report the internal issue in the debug log and do not send M3. Signed-off-by: Jouni Malinen --- diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 093aea23a..49866c276 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -4549,6 +4549,7 @@ static u8 * wpa_auth_ml_kdes(struct wpa_state_machine *sm, u8 *pos) struct wpa_authenticator *wpa_auth; const u8 *rsne, *rsnxe, *rsnoe, *rsno2e, *rsnxoe; size_t rsne_len, rsnxe_len, rsnoe_len, rsno2e_len, rsnxoe_len; + size_t kde_len; wpa_auth = wpa_get_link_auth(sm->wpa_auth, link_id); if (!wpa_auth) @@ -4618,8 +4619,15 @@ static u8 * wpa_auth_ml_kdes(struct wpa_state_machine *sm, u8 *pos) /* RSN Override Link KDE */ *pos++ = WLAN_EID_VENDOR_SPECIFIC; - *pos++ = RSN_SELECTOR_LEN + 1 + rsnoe_len + rsno2e_len + + kde_len = RSN_SELECTOR_LEN + 1 + rsnoe_len + rsno2e_len + rsnxoe_len; + if (kde_len > 255) { + wpa_printf(MSG_ERROR, + "RSN: RSNOE/RSNO2E/RSNXOE too long (KDE length %zu) to fit in RSN Override Link KDE for link %u", + kde_len, link_id); + return NULL; + } + *pos++ = kde_len; RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_RSN_OVERRIDE_LINK); pos += RSN_SELECTOR_LEN; @@ -4972,6 +4980,10 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING) #endif /* CONFIG_DPP2 */ pos = wpa_auth_ml_kdes(sm, pos); + if (!pos) { + wpa_printf(MSG_ERROR, "RSN: Failed to add MLO KDEs"); + goto done; + } if (sm->ssid_protection) { *pos++ = WLAN_EID_SSID;