mac80211: check if key has TKIP type before updating IV

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This patch fix corruption which can manifest itself by following crash
when switching on rfkill switch with rt2x00 driver:
https://bugzilla.redhat.com/attachment.cgi?id=615362

Pointer key->u.ccmp.tfm of group key get corrupted in:

ieee80211_rx_h_michael_mic_verify():

/* update IV in key information to be able to detect replays */
rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32;
rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16;

because rt2x00 always set RX_FLAG_MMIC_STRIPPED, even if key is not TKIP.

We already check type of the key in different path in
ieee80211_rx_h_michael_mic_verify() function, so adding additional
check here is reasonable.

Cc: stable@vger.kernel.org # 3.0+
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

authored by

Stanislaw Gruszka and committed by

John W. Linville 13 years ago 4045f72b 3d02a926

+2 -1

1 changed file

expand all

net

mac80211

wpa.c

+2 -1

net/mac80211/wpa.c

··· 106 106 if (status->flag & RX_FLAG_MMIC_ERROR) 107 107 goto mic_fail; 108 108 109 - if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key) 109 + if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key && 110 + rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP) 110 111 goto update_iv; 111 112 112 113 return RX_CONTINUE;