From: Johannes Berg <johannes.berg@xxxxxxxxx>
There really shouldn't be a basic multi-link element in any
per-STA profile in an association response, it's not clear
what that would really mean. Refuse connecting in this case
since the AP isn't following the spec.
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
---
net/mac80211/ieee80211_i.h | 1 +
net/mac80211/mlme.c | 3 ++-
net/mac80211/util.c | 5 +++++
3 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index f5fe659a1efd..e11297b4dc63 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1671,6 +1671,7 @@ enum ieee80211_elems_parse_error {
IEEE80211_PARSE_ERR_DUP_ELEM = BIT(1),
IEEE80211_PARSE_ERR_BAD_ELEM_SIZE = BIT(2),
IEEE80211_PARSE_ERR_UNEXPECTED_ELEM = BIT(3),
+ IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC = BIT(4),
};
/* Parsed Information Elements */
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index d5293e715558..f110566a496b 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -4303,7 +4303,8 @@ static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link,
link->u.mgd.bss_param_ch_cnt =
ieee80211_mle_get_bss_param_ch_cnt(elems->ml_basic);
}
- } else if (!elems->prof ||
+ } else if (elems->parse_error & IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC ||
+ !elems->prof ||
!(elems->prof->control & prof_bss_param_ch_present)) {
ret = false;
goto out;
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index c1fa762f0cba..d85a9c5cde26 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1012,6 +1012,11 @@ ieee80211_parse_extension_element(u32 *crc,
switch (le16_get_bits(mle->control,
IEEE80211_ML_CONTROL_TYPE)) {
case IEEE80211_ML_CONTROL_TYPE_BASIC:
+ if (elems->ml_basic) {
+ elems->parse_error |=
+ IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC;
+ break;
+ }
elems->ml_basic_elem = (void *)elem;
elems->ml_basic = data;
elems->ml_basic_len = len;
--
2.43.0
