From 00e74b2f6e21e4d01aa58433a441ca4c81fb10ab Mon Sep 17 00:00:00 2001 From: Amarnath Hullur Subramanyam Date: Thu, 30 Apr 2026 18:24:35 -0700 Subject: [PATCH 2/5] BSS: Add bounds check for link_id in Basic MLE parsing In wpa_bss_parse_basic_ml_element() in bss.c, an extracted link_id is used without validation against the maximum allowed links (MAX_NUM_MLD_LINKS). Processing a malformed Basic Multi-Link element (MLE) with an out-of-bounds link_id could lead to memory corruption. However, the modified location is within the body of the received frame and as such, this does not result in additional issues since that area is controlled by the transmitter of the frame. In any case, it is better to be explicit with validating the Link ID value. This commit introduces a strict bounds check immediately after link_id extraction. If link_id exceeds or equals MAX_NUM_MLD_LINKS, parsing is gracefully aborted with a debug log entry. Fixes: de5e01010cb2 ("wpa_supplicant: Support ML probe request") Signed-off-by: Amarnath Hullur Subramanyam --- wpa_supplicant/bss.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c index e8aaf6fe1848..11950064a1b6 100644 --- a/wpa_supplicant/bss.c +++ b/wpa_supplicant/bss.c @@ -1710,6 +1710,11 @@ int wpa_bss_parse_basic_ml_element(struct wpa_supplicant *wpa_s, ETH_ALEN); link_id = ml_basic_common_info->variable[0] & EHT_ML_LINK_ID_MSK; + if (link_id >= MAX_NUM_MLD_LINKS) { + wpa_printf(MSG_DEBUG, "MLD: Invalid link ID %u in Basic MLE", + link_id); + goto out; + } bss->mld_link_id = link_id; seen = bss->valid_links = BIT(link_id); -- 2.43.0