From dad0d98570e3615b441d1c1e72e2945483a6fe77 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Date: Tue, 31 Mar 2026 17:47:03 +0300
Subject: [PATCH 5/5] MLD: Fix length check in common info for association
 failure cases

It is not sufficient to check that the indicated common info length is
sufficiently large to contain the information; there needs to be a check
for the indicated value to not be too large to go beyond the end of the
MLE as well. Without this, invalid MLE might result in ml_len wrapping
around to a huge value and reading beyond the end of the buffer for the
received frame. This could result in process termination.

Add the missed check for the Common Info field not being truncated in
the MLE in association failure cases.

Fixes: a58a0c592e20 ("MLD: Fix Multi-Link element parsing for association failures")
Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
---
 wpa_supplicant/events.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 600718d8efc4..d81578438588 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -3852,6 +3852,13 @@ static unsigned int wpas_ml_parse_assoc(struct wpa_supplicant *wpa_s,
 		goto out;
 	}
 
+	if (sizeof(*ml) + common_info->len > ml_len) {
+		wpa_printf(MSG_DEBUG,
+			   "MLD: Truncated common info (common_info->len=%u ml_len=%zu)",
+			   common_info->len, ml_len);
+		goto out;
+	}
+
 	wpa_printf(MSG_DEBUG, "MLD: address: " MACSTR,
 		   MAC2STR(common_info->mld_addr));
 
-- 
2.43.0