[PATCH 07/20] AP: Reject (Re)Association Request with mismatched security profile
Andrei Otcheretianski
andrei.otcheretianski at intel.com
Wed Jun 10 06:12:00 PDT 2026
From: Ilan Peer <ilan.peer at intel.com>
In case security profile support is enabled and the association
frame includes a Security Profile element verify that a single
security profile is included, and that it matches a supported
security profile, and that the RSN and extended RSN element are valid.
Signed-off-by: Ilan Peer <ilan.peer at intel.com>
---
src/ap/ieee802_11.c | 25 +++++++++++++++++++++++++
src/ap/wpa_auth_ie.c | 4 ++--
2 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index e100dfa2f1..23493d6533 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -5691,6 +5691,31 @@ static int __check_assoc_ies(struct hostapd_data *hapd, struct sta_info *sta,
goto skip_wpa_ies;
}
+ /*
+ * If support for security profiles is enabled and the association
+ * request includes a Security Profile element, verify that the values
+ * of the RSNE and RSNXE, and the indications in the Security Profile
+ * element are valid.
+ */
+ if (hapd->conf->sec_profile_enabled && elems->security_profile &&
+ (!elems->rsn_ie ||
+ !wpa_auth_validate_security_profile(hapd->wpa_auth,
+ elems->rsn_ie - 2,
+ elems->rsn_ie_len + 2,
+ elems->rsnxe ?
+ elems->rsnxe - 2 : NULL,
+ elems->rsnxe ?
+ elems->rsnxe_len + 2 : 0,
+ elems->security_profile,
+ elems->security_profile_len))) {
+ wpa_printf(MSG_INFO,
+ "RSN: (Re)Association Request from " MACSTR
+ " does not match any advertised security profile",
+ MAC2STR(sta->addr));
+ resp = WLAN_STATUS_REJECTED_INVALID_SECURITY_PROFILE;
+ goto out;
+ }
+
if ((hapd->conf->wpa & WPA_PROTO_RSN) && elems->rsn_ie) {
wpa_ie = elems->rsn_ie;
wpa_ie_len = elems->rsn_ie_len;
diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c
index 0a3e2cafc1..35ef81a2cc 100644
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -720,8 +720,8 @@ static u16 wpa_match_security_profiles(struct wpa_auth_config *conf)
* @wpa_auth: WPA authenticator context
* @rsne: Pointer to the RSN element
* @rsne_len: Length of the RSN element
- * @rsnxe: Pointer to the RSNXE element
- * @rsnxe_len: Length of the RSNXE element
+ * @rsnxe: Pointer to the RSNXE element (can be NULL)
+ * @rsnxe_len: Length of the RSNXE element (can be 0 if rsnxe is NULL)
* @secp_body: Pointer to the Security Profile element
* @secp_body_len: Length of the Security Profile element
* Returns: true on match, false on mismatch or error
--
2.53.0
More information about the Hostap
mailing list