[PATCH v2 2/3] AP: Always re-add stations that use MLO
Benjamin Berg
benjamin at sipsolutions.net
Thu Jan 29 02:08:05 PST 2026
On Wed, 2026-01-28 at 10:58 +0530, Rameshkumar Sundaram wrote:
> > [SNIP]
> > if (FULL_AP_CLIENT_STATE_SUPP(hapd->iface->drv_flags) &&
> > - (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta)) &&
> > + (!(sta->flags & WLAN_STA_MFP) || !ap_sta_is_authorized(sta) ||
> > + mld_sta) &&
>
> Doing this will reset the connection (and keys) of the existing
> authorized ML STA in the driver. A simple authentication frame received
> with the MLD address set to the existing authorized STA’s address could
> terminate the secured association.
Uh, yes, what an embarrassing mistake …
> Should we instead defer this until the association request is received,
> where SA‑Query validation can be performed? Or perhaps until the SAE
> exchange is completed, if the authentication algorithm is SAE?
Yes, generally we should wait for SA-Query before kicking/modifying the
station. I checked internally, and in particular for 11bi, we should do
that once the authentication is completed without doing an SA-Query in
that case.
That said, I believe we do have a problem until that point as we
currently send the frames to the MLD address and rely on address
translation which will use the old link address. At least in this case,
we will need to send the frames directly to the new link address
instead.
That said, to properly fix this we need an nl80211/mac80211 API that
permits us to disable address translation for the frame. Otherwise we
would still get the address translated to the old link address should
the new link address match the MLD address.
Benjamin
> > !(hapd->conf->mesh & MESH_ENABLED) &&
> > !(sta->added_unassoc) && auth_alg != WLAN_AUTH_PASN) {
> > if (ap_sta_re_add(hapd, sta) < 0) {
>
>
> --
> Ramesh
>
More information about the Hostap
mailing list