From ae24a10634f6e19d75888f5d786f380bb7af5b86 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 31 Mar 2026 23:16:08 +0300 Subject: [PATCH 3/5] MLD: Validate MLE Link ID fields in association rejection case The Link ID Info field in the Common Info field needs to ignore the reserved bits to be more extensible for future. Both that link ID for the association link and the link IDs for other links need to be verified to be within the valid range (0-14), so check that here. The parsed link ID was not used for anything yet, but it is better to make sure this in theory common parser is not exposing invalid data to the caller should it be used for additional purposes in the future. Signed-off-by: Jouni Malinen --- wpa_supplicant/events.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c index 49917f7aaf72..600718d8efc4 100644 --- a/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c @@ -3864,7 +3864,12 @@ static unsigned int wpas_ml_parse_assoc(struct wpa_supplicant *wpa_s, pos = common_info->variable; /* Store the information for the association link */ - ml_info[i].link_id = *pos; + ml_info[i].link_id = *pos & EHT_ML_LINK_ID_MSK; + if (ml_info[i].link_id >= MAX_NUM_MLD_LINKS) { + wpa_printf(MSG_DEBUG, + "MLD: Invalid Link ID value for assoc link"); + goto out; + } pos++; /* Skip the BSS Parameters Change Count */ @@ -3999,6 +4004,10 @@ static unsigned int wpas_ml_parse_assoc(struct wpa_supplicant *wpa_s, MAC2STR(pos + 1), nstr_bitmap_len); ml_info[i].link_id = ctrl & EHT_PER_STA_CTRL_LINK_ID_MSK; + if (ml_info[i].link_id >= MAX_NUM_MLD_LINKS) { + wpa_printf(MSG_DEBUG, "MLD: Invalid Link ID value"); + goto out; + } os_memcpy(ml_info[i].bssid, pos + 1, ETH_ALEN); pos += sta_info_len; -- 2.43.0