From d98417218942d855f3e11051edb3da38d94906c8 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 23 Aug 2024 18:40:53 +0300 Subject: [PATCH] RSNO: Check that RSNOE/RSNO2E/RSNXOE fit into RSN Override Link KDE While these elements fit without issue in production use cases, it is possible to override the elements for testing purposes and if such overridden elements are overly long, they would nto fit into the maximum length RSN Override Link KDE. This could result in difficult to debug failure cases, so check for this explicitly and instead of sending out the invalid M3, report the internal issue in the debug log and do not send M3. Signed-off-by: Jouni Malinen --- src/ap/wpa_auth.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 093aea23a..49866c276 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -4549,6 +4549,7 @@ static u8 * wpa_auth_ml_kdes(struct wpa_state_machine *sm, u8 *pos) struct wpa_authenticator *wpa_auth; const u8 *rsne, *rsnxe, *rsnoe, *rsno2e, *rsnxoe; size_t rsne_len, rsnxe_len, rsnoe_len, rsno2e_len, rsnxoe_len; + size_t kde_len; wpa_auth = wpa_get_link_auth(sm->wpa_auth, link_id); if (!wpa_auth) @@ -4618,8 +4619,15 @@ static u8 * wpa_auth_ml_kdes(struct wpa_state_machine *sm, u8 *pos) /* RSN Override Link KDE */ *pos++ = WLAN_EID_VENDOR_SPECIFIC; - *pos++ = RSN_SELECTOR_LEN + 1 + rsnoe_len + rsno2e_len + + kde_len = RSN_SELECTOR_LEN + 1 + rsnoe_len + rsno2e_len + rsnxoe_len; + if (kde_len > 255) { + wpa_printf(MSG_ERROR, + "RSN: RSNOE/RSNO2E/RSNXOE too long (KDE length %zu) to fit in RSN Override Link KDE for link %u", + kde_len, link_id); + return NULL; + } + *pos++ = kde_len; RSN_SELECTOR_PUT(pos, WFA_KEY_DATA_RSN_OVERRIDE_LINK); pos += RSN_SELECTOR_LEN; @@ -4972,6 +4980,10 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING) #endif /* CONFIG_DPP2 */ pos = wpa_auth_ml_kdes(sm, pos); + if (!pos) { + wpa_printf(MSG_ERROR, "RSN: Failed to add MLO KDEs"); + goto done; + } if (sm->ssid_protection) { *pos++ = WLAN_EID_SSID;