Hi! So this changes bool variables to u8:1, but still assigns true/false there, which looks like "interesting" style. Should we switch to 0/1? Best regards, Pavel > --- a/net/mac80211/rx.c > +++ b/net/mac80211/rx.c > @@ -2284,6 +2284,7 @@ ieee80211_rx_h_defragment(struct ieee802 > * next fragment has a sequential PN value. > */ > entry->check_sequential_pn = true; > + entry->is_protected = true; > entry->key_color = rx->key->color; > memcpy(entry->last_pn, > rx->key->u.ccmp.rx_pn[queue], > @@ -2296,6 +2297,9 @@ ieee80211_rx_h_defragment(struct ieee802 > sizeof(rx->key->u.gcmp.rx_pn[queue])); > BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN != > IEEE80211_GCMP_PN_LEN); > + } else if (rx->key && ieee80211_has_protected(fc)) { > + entry->is_protected = true; > + entry->key_color = rx->key->color; > } > return RX_QUEUED; > } > @@ -2337,6 +2341,14 @@ ieee80211_rx_h_defragment(struct ieee802 > if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN)) > return RX_DROP_UNUSABLE; > memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN); > + } else if (entry->is_protected && > + (!rx->key || !ieee80211_has_protected(fc) || > + rx->key->color != entry->key_color)) { > + /* Drop this as a mixed key or fragment cache attack, even > + * if for TKIP Michael MIC should protect us, and WEP is a > + * lost cause anyway. > + */ > + return RX_DROP_UNUSABLE; > } > > skb_pull(rx->skb, ieee80211_hdrlen(fc)); > --- a/net/mac80211/sta_info.h > +++ b/net/mac80211/sta_info.h > @@ -453,7 +453,8 @@ struct ieee80211_fragment_entry { > u16 extra_len; > u16 last_frag; > u8 rx_queue; > - bool check_sequential_pn; /* needed for CCMP/GCMP */ > + u8 check_sequential_pn:1, /* needed for CCMP/GCMP */ > + is_protected:1; > u8 last_pn[6]; /* PN of the last fragment if CCMP was used */ > unsigned int key_color; > }; > -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Attachment:
signature.asc
Description: Digital signature