diff options
author | Stanislaw Gruszka <sgruszka@redhat.com> | 2012-10-02 21:34:23 +0200 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2012-10-15 14:42:53 -0400 |
commit | 4045f72bcf3c293c7c5932ef001742d8bb5ded76 (patch) | |
tree | 55c85cefe2b663fe70d057fc7eadccb02b96c1c6 /net | |
parent | 3d02a9265c5414b07b372dde616174d3c89071a0 (diff) | |
download | linux-4045f72bcf3c293c7c5932ef001742d8bb5ded76.tar.gz linux-4045f72bcf3c293c7c5932ef001742d8bb5ded76.tar.bz2 linux-4045f72bcf3c293c7c5932ef001742d8bb5ded76.zip |
mac80211: check if key has TKIP type before updating IV
This patch fix corruption which can manifest itself by following crash
when switching on rfkill switch with rt2x00 driver:
https://bugzilla.redhat.com/attachment.cgi?id=615362
Pointer key->u.ccmp.tfm of group key get corrupted in:
ieee80211_rx_h_michael_mic_verify():
/* update IV in key information to be able to detect replays */
rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32;
rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16;
because rt2x00 always set RX_FLAG_MMIC_STRIPPED, even if key is not TKIP.
We already check type of the key in different path in
ieee80211_rx_h_michael_mic_verify() function, so adding additional
check here is reasonable.
Cc: stable@vger.kernel.org # 3.0+
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/mac80211/wpa.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c index bdb53aba888e..e72562a18bad 100644 --- a/net/mac80211/wpa.c +++ b/net/mac80211/wpa.c @@ -106,7 +106,8 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx) if (status->flag & RX_FLAG_MMIC_ERROR) goto mic_fail; - if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key) + if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key && + rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP) goto update_iv; return RX_CONTINUE; |