[PATCH 90/92] NAN: Verify that only advertised CSIDs are used for NDP

Andrei Otcheretianski andrei.otcheretianski at intel.com
Wed Apr 22 05:24:21 PDT 2026 

Allow only CSIDs published by the service for NDP establishment.
Add a NAN DE api to query if the service supports a CSID.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski at intel.com>
---
 src/common/nan_de.c             | 26 ++++++++++++++++++++++++++
 src/common/nan_de.h             |  1 +
 wpa_supplicant/nan_supplicant.c | 13 +++++++++++++
 3 files changed, 40 insertions(+)

diff --git a/src/common/nan_de.c b/src/common/nan_de.c
index ba0524da75..1464bd87be 100644
--- a/src/common/nan_de.c
+++ b/src/common/nan_de.c
@@ -2604,3 +2604,29 @@ u16 nan_de_get_service_bootstrap_methods(struct nan_de *de, int handle)
 
 	return srv->pbm;
 }
+
+
+bool nan_de_service_supports_csid(struct nan_de *de, int handle, int csid)
+{
+	struct nan_de_service *srv;
+	int i;
+
+	if (handle < 1 || handle > NAN_DE_MAX_SERVICE)
+		return false;
+
+	srv = de->service[handle - 1];
+	if (!srv)
+		return false;
+
+	/* If cipher_suites_list is not set, all CSIDs are allowed */
+	if (!srv->cipher_suites_list)
+		return true;
+
+	/* Check if the CSID is in the service's cipher suite list */
+	for (i = 0; srv->cipher_suites_list[i]; i++) {
+		if (srv->cipher_suites_list[i] == csid)
+			return true;
+	}
+
+	return false;
+}
diff --git a/src/common/nan_de.h b/src/common/nan_de.h
index 24b6fcb028..0ce1e4d145 100644
--- a/src/common/nan_de.h
+++ b/src/common/nan_de.h
@@ -259,6 +259,7 @@ void nan_de_set_cluster_id(struct nan_de *de, const u8 *cluster_id);
 bool nan_de_is_valid_instance_id(struct nan_de *de, int handle,
 				 bool publish, u8 *service_id);
 u16 nan_de_get_service_bootstrap_methods(struct nan_de *de, int handle);
+bool nan_de_service_supports_csid(struct nan_de *de, int handle, int csid);
 
 int nan_de_stop_listen(struct nan_de *de, int handle);
 
diff --git a/wpa_supplicant/nan_supplicant.c b/wpa_supplicant/nan_supplicant.c
index 7f86567e1f..4f08f8d195 100644
--- a/wpa_supplicant/nan_supplicant.c
+++ b/wpa_supplicant/nan_supplicant.c
@@ -2137,6 +2137,19 @@ static int wpas_nan_fill_nd_pmk(struct wpa_supplicant *wpa_s,
 		return -1;
 	}
 
+	/*
+	 * For NDP response (publisher side), check if the requested CSID
+	 * is in the service's advertised cipher suite list.
+	 */
+	if (ndp->type == NAN_NDP_ACTION_RESP &&
+	    !nan_de_service_supports_csid(wpa_s->nan_de, handle,
+					  ndp->sec.csid)) {
+		wpa_printf(MSG_DEBUG,
+			   "NAN: Requested CSID %d not advertised by service",
+			   ndp->sec.csid);
+		return -1;
+	}
+
 	if (pmk) {
 		if (os_strlen(pmk) != PMK_LEN * 2) {
 			wpa_printf(MSG_INFO, "NAN: Invalid PMK length: %zu",
-- 
2.53.0

More information about the Hostap mailing list