summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislaw Gruszka <sgruszka@redhat.com>2012-10-02 21:34:23 +0200
committerJohn W. Linville <linville@tuxdriver.com>2012-10-15 14:42:53 -0400
commit4045f72bcf3c293c7c5932ef001742d8bb5ded76 (patch)
tree55c85cefe2b663fe70d057fc7eadccb02b96c1c6
parent3d02a9265c5414b07b372dde616174d3c89071a0 (diff)
downloadlinux-3.10-4045f72bcf3c293c7c5932ef001742d8bb5ded76.tar.gz
linux-3.10-4045f72bcf3c293c7c5932ef001742d8bb5ded76.tar.bz2
linux-3.10-4045f72bcf3c293c7c5932ef001742d8bb5ded76.zip
mac80211: check if key has TKIP type before updating IV
This patch fix corruption which can manifest itself by following crash when switching on rfkill switch with rt2x00 driver: https://bugzilla.redhat.com/attachment.cgi?id=615362 Pointer key->u.ccmp.tfm of group key get corrupted in: ieee80211_rx_h_michael_mic_verify(): /* update IV in key information to be able to detect replays */ rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32; rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16; because rt2x00 always set RX_FLAG_MMIC_STRIPPED, even if key is not TKIP. We already check type of the key in different path in ieee80211_rx_h_michael_mic_verify() function, so adding additional check here is reasonable. Cc: stable@vger.kernel.org # 3.0+ Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--net/mac80211/wpa.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index bdb53aba888..e72562a18ba 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -106,7 +106,8 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
if (status->flag & RX_FLAG_MMIC_ERROR)
goto mic_fail;
- if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key)
+ if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key &&
+ rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP)
goto update_iv;
return RX_CONTINUE;