diff mbox series

[2/2] wifi: mac80211: disallow basic multi-link element in per-STA profile

Message ID 20240129200652.23f1e3b337f1.Idd2e43cdbfe3ba15b3e9b8aeb54c8115587177a0@changeid
State New
Headers show
Series [1/2] wifi: mac80211: add/use ieee80211_get_sn() | expand

Commit Message

Johannes Berg Jan. 29, 2024, 7:06 p.m. UTC 
From: Johannes Berg <johannes.berg@intel.com>

There really shouldn't be a basic multi-link element in any
per-STA profile in an association response, it's not clear
what that would really mean. Refuse connecting in this case
since the AP isn't following the spec.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/mac80211/ieee80211_i.h | 1 +
 net/mac80211/mlme.c        | 3 ++-
 net/mac80211/util.c        | 5 +++++
 3 files changed, 8 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index f5fe659a1efd..e11297b4dc63 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1671,6 +1671,7 @@  enum ieee80211_elems_parse_error {
 	IEEE80211_PARSE_ERR_DUP_ELEM		= BIT(1),
 	IEEE80211_PARSE_ERR_BAD_ELEM_SIZE	= BIT(2),
 	IEEE80211_PARSE_ERR_UNEXPECTED_ELEM	= BIT(3),
+	IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC	= BIT(4),
 };
 
 /* Parsed Information Elements */
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index d5293e715558..f110566a496b 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -4303,7 +4303,8 @@  static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link,
 			link->u.mgd.bss_param_ch_cnt =
 				ieee80211_mle_get_bss_param_ch_cnt(elems->ml_basic);
 		}
-	} else if (!elems->prof ||
+	} else if (elems->parse_error & IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC ||
+		   !elems->prof ||
 		   !(elems->prof->control & prof_bss_param_ch_present)) {
 		ret = false;
 		goto out;
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index c1fa762f0cba..d85a9c5cde26 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1012,6 +1012,11 @@  ieee80211_parse_extension_element(u32 *crc,
 			switch (le16_get_bits(mle->control,
 					      IEEE80211_ML_CONTROL_TYPE)) {
 			case IEEE80211_ML_CONTROL_TYPE_BASIC:
+				if (elems->ml_basic) {
+					elems->parse_error |=
+						IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC;
+					break;
+				}
 				elems->ml_basic_elem = (void *)elem;
 				elems->ml_basic = data;
 				elems->ml_basic_len = len;