From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , alan@lxorguk.ukuu.org.uk, Stanislaw Gruszka , "John W. Linville" Subject: [ 28/34] mac80211: check if key has TKIP type before updating IV Date: Mon, 29 Oct 2012 13:07:59 -0700 Message-Id: <20121029200423.685764605@linuxfoundation.org> In-Reply-To: <20121029200420.550338074@linuxfoundation.org> References: <20121029200420.550338074@linuxfoundation.org> Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Stanislaw Gruszka commit 4045f72bcf3c293c7c5932ef001742d8bb5ded76 upstream. This patch fix corruption which can manifest itself by following crash when switching on rfkill switch with rt2x00 driver: https://bugzilla.redhat.com/attachment.cgi?id=615362 Pointer key->u.ccmp.tfm of group key get corrupted in: ieee80211_rx_h_michael_mic_verify(): /* update IV in key information to be able to detect replays */ rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32; rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16; because rt2x00 always set RX_FLAG_MMIC_STRIPPED, even if key is not TKIP. We already check type of the key in different path in ieee80211_rx_h_michael_mic_verify() function, so adding additional check here is reasonable. Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman --- net/mac80211/wpa.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/mac80211/wpa.c +++ b/net/mac80211/wpa.c @@ -109,7 +109,8 @@ ieee80211_rx_h_michael_mic_verify(struct if (status->flag & RX_FLAG_MMIC_ERROR) goto mic_fail; - if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key) + if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key && + rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP) goto update_iv; return RX_CONTINUE;