aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislaw Gruszka <sgruszka@redhat.com>2012-10-02 21:34:23 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-10-31 10:10:19 -0700
commit8f645c50b625f912ee7e62687cd88c468f92ac64 (patch)
treef16b145d2318b910bc15d54b0c527a051c1dff18
parenta52e181f56c22cd26444e61c0ac87222bd187564 (diff)
downloadlinux-linaro-stable-8f645c50b625f912ee7e62687cd88c468f92ac64.tar.gz
mac80211: check if key has TKIP type before updating IV
commit 4045f72bcf3c293c7c5932ef001742d8bb5ded76 upstream. This patch fix corruption which can manifest itself by following crash when switching on rfkill switch with rt2x00 driver: https://bugzilla.redhat.com/attachment.cgi?id=615362 Pointer key->u.ccmp.tfm of group key get corrupted in: ieee80211_rx_h_michael_mic_verify(): /* update IV in key information to be able to detect replays */ rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32; rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16; because rt2x00 always set RX_FLAG_MMIC_STRIPPED, even if key is not TKIP. We already check type of the key in different path in ieee80211_rx_h_michael_mic_verify() function, so adding additional check here is reasonable. Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--net/mac80211/wpa.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index bdb53aba888e..e72562a18bad 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -106,7 +106,8 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
if (status->flag & RX_FLAG_MMIC_ERROR)
goto mic_fail;
- if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key)
+ if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key &&
+ rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP)
goto update_iv;
return RX_CONTINUE;