From: Johannes Berg <johannes@sipsolutions.net>
To: mike@hellotwist.com, Jouni Malinen <j@w1.fi>
Cc: linux-wireless@vger.kernel.org
Subject: Re: [PATCH] mac80211: Validate michael MIC before attempting packet decode.
Date: Fri, 12 May 2017 10:52:26 +0200 [thread overview]
Message-ID: <1494579146.32348.3.camel@sipsolutions.net> (raw)
In-Reply-To: <CAKXXJEymJXEp70bUMuNCxDAA1CLCOJN4DjnPBkf5oh6Nqn7JQA@mail.gmail.com> (sfid-20170511_222236_614264_021DE9B1)
On Thu, 2017-05-11 at 16:22 -0400, Michael Skeffington wrote:
> I am using an rt5350 SoC using the rt2x00 driver. We were doing
> WiFi-alliance certification testing on our device and the it wasn't
> issuing countermeasures appropriately.
>
> Your assumption is correct. I had overlooked that devices using this
> driver have hardware decoding and the driver sets RX_FLAG_MMIC_ERROR.
> In retrospect, the change I proposed is totally broken.
>
> I'm running through the failure case again so I can identify where in
> the rx_decrypt function it falls through. It seems odd that it would
> drop the packet in rx_decrypt given that it doesn't actually do any
> decryption. I suspect thats related to the underlying bug.
Here's the driver code from rt2500usb (but it's similar in the others):
rxdesc->flags |= RX_FLAG_MMIC_STRIPPED;
if (rxdesc->cipher_status == RX_CRYPTO_SUCCESS)
rxdesc->flags |= RX_FLAG_DECRYPTED;
else if (rxdesc->cipher_status == RX_CRYPTO_FAIL_MIC)
rxdesc->flags |= RX_FLAG_MMIC_ERROR;
I think if you just change it to be
[...]
else if (rxdesc->cipher_status == RX_CRYPTO_FAIL_MIC)
rxdesc->flags |= RX_FLAG_MMIC_ERROR |
RX_FLAG_DECRYPTED;
things will start working. This is arguably correct since to be able to
check the MMIC, the frame has to have been decrypted (properly) before.
johannes
next prev parent reply other threads:[~2017-05-12 8:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-09 18:16 [PATCH] mac80211: Validate michael MIC before attempting packet decode Michael Skeffington
2017-05-10 10:44 ` Johannes Berg
2017-05-10 12:24 ` Jouni Malinen
2017-05-11 20:22 ` Michael Skeffington
2017-05-12 8:52 ` Johannes Berg [this message]
2017-05-16 19:57 ` Michael Skeffington
2017-05-16 20:17 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1494579146.32348.3.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=j@w1.fi \
--cc=linux-wireless@vger.kernel.org \
--cc=mike@hellotwist.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).