[PATCH 2/2] RSN: Reject invalid MLO GTK KDE length in msg 3/4

Chung-Hsien Hsu chung-hsien.hsu at infineon.com
Tue May 12 06:15:58 PDT 2026 

Validate MLO GTK KDE lengths in EAPOL-Key message 3/4 before
transmitting message 4/4.

The MLO GTK KDE length is already checked when processing each per-link
GTK for installation. However, that validation is reached only after
message 4/4 has been transmitted. This allows a malformed message 3/4
with an invalid MLO GTK KDE length to be acknowledged even though the
supplicant later rejects the GTK and fails the handshake.

Reject message 3/4 before sending message 4/4 if any per-link MLO GTK
KDE is too short to include the MLO GTK KDE prefix, or if the GTK
payload would exceed the local GTK buffer. Reuse the same helper in the
later MLO GTK installation path to keep the validation rules consistent.

Signed-off-by: Chung-Hsien Hsu <chung-hsien.hsu at infineon.com>
---
 src/rsn_supp/wpa.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index ecc0eddd45ab..acc50f4c77bd 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -1409,6 +1409,18 @@ static int wpa_supplicant_validate_gtk_kde_len(size_t gtk_len)
 }
 
 
+static int wpa_supplicant_validate_mlo_gtk_kde_len(size_t gtk_len)
+{
+	struct wpa_gtk_data gd;
+
+	if (gtk_len < RSN_MLO_GTK_KDE_PREFIX_LENGTH ||
+	    gtk_len - RSN_MLO_GTK_KDE_PREFIX_LENGTH > sizeof(gd.gtk))
+		return -1;
+
+	return 0;
+}
+
+
 static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
 				      const struct wpa_gtk_data *gd,
 				      const u8 *key_rsc, int wnm_sleep)
@@ -1602,8 +1614,7 @@ static int wpa_supplicant_mlo_gtk(struct wpa_sm *sm, u8 link_id, const u8 *gtk,
 			     "RSN: received GTK in pairwise handshake",
 			     gtk, gtk_len);
 
-	if (gtk_len < RSN_MLO_GTK_KDE_PREFIX_LENGTH ||
-	    gtk_len - RSN_MLO_GTK_KDE_PREFIX_LENGTH > sizeof(gd.gtk))
+	if (wpa_supplicant_validate_mlo_gtk_kde_len(gtk_len) < 0)
 		return -1;
 
 	gd.keyidx = gtk[0] & 0x3;
@@ -2886,6 +2897,14 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 			goto failed;
 		}
 
+		if (wpa_supplicant_validate_mlo_gtk_kde_len(
+			    ie.mlo_gtk_len[i]) < 0) {
+			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+				"RSN: Invalid MLO GTK KDE length %lu for link ID %u",
+				(unsigned long) ie.mlo_gtk_len[i], i);
+			goto failed;
+		}
+
 		if (sm->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED &&
 		    wpa_cipher_valid_mgmt_group(sm->mgmt_group_cipher) &&
 		    wpa_validate_mlo_ieee80211w_kdes(sm, i, &ie) < 0)
-- 
2.25.1

More information about the Hostap mailing list