summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislaw Gruszka <sgruszka@redhat.com>2012-10-02 21:34:23 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-10-31 10:03:01 -0700
commit5a01241c81ac4bf6a7a486051699f791634e7b22 (patch)
tree54c7be81f6291608f8d34221acb37e6d29839261
parentadb91f6de096f878fb1cb9e0ff5839b2d432e67e (diff)
downloadlwn-5a01241c81ac4bf6a7a486051699f791634e7b22.tar.gz
lwn-5a01241c81ac4bf6a7a486051699f791634e7b22.zip
mac80211: check if key has TKIP type before updating IV
commit 4045f72bcf3c293c7c5932ef001742d8bb5ded76 upstream. This patch fix corruption which can manifest itself by following crash when switching on rfkill switch with rt2x00 driver: https://bugzilla.redhat.com/attachment.cgi?id=615362 Pointer key->u.ccmp.tfm of group key get corrupted in: ieee80211_rx_h_michael_mic_verify(): /* update IV in key information to be able to detect replays */ rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32; rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16; because rt2x00 always set RX_FLAG_MMIC_STRIPPED, even if key is not TKIP. We already check type of the key in different path in ieee80211_rx_h_michael_mic_verify() function, so adding additional check here is reasonable. Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--net/mac80211/wpa.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 0ae23c60968c..ea6d03bd5d5f 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -106,7 +106,8 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
if (status->flag & RX_FLAG_MMIC_ERROR)
goto mic_fail;
- if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key)
+ if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key &&
+ rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP)
goto update_iv;
return RX_CONTINUE;