www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Stanislaw Gruszka <sgruszka@redhat.com>
	Tue, 2 Oct 2012 19:34:23 +0000 (21:34 +0200)
committer	Guangyu Sun <guangyu.sun@oracle.com>
	Tue, 6 Nov 2012 00:33:29 +0000 (16:33 -0800)
commit	b65ad882f0f4cfc5f5032efd433238a8d10696b9
tree	81eec850d8704a3a6bf86f16d19d24565decdf85	tree
parent	8e7340b68914c6d14cbee6278cd423b8950519b4	commit \| diff

mac80211: check if key has TKIP type before updating IV

commit 4045f72bcf3c293c7c5932ef001742d8bb5ded76 upstream.

This patch fix corruption which can manifest itself by following crash
when switching on rfkill switch with rt2x00 driver:
https://bugzilla.redhat.com/attachment.cgi?id=615362

Pointer key->u.ccmp.tfm of group key get corrupted in:

ieee80211_rx_h_michael_mic_verify():

        /* update IV in key information to be able to detect replays */
        rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32;
        rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16;

because rt2x00 always set RX_FLAG_MMIC_STRIPPED, even if key is not TKIP.

We already check type of the key in different path in
ieee80211_rx_h_michael_mic_verify() function, so adding additional
check here is reasonable.

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Guangyu Sun <guangyu.sun@oracle.com>