Hi!
So this changes bool variables to u8:1, but still assigns true/false
there, which looks like "interesting" style. Should we switch to 0/1?
Best regards,
Pavel
> --- a/net/mac80211/rx.c
> +++ b/net/mac80211/rx.c
> @@ -2284,6 +2284,7 @@ ieee80211_rx_h_defragment(struct ieee802
> * next fragment has a sequential PN value.
> */
> entry->check_sequential_pn = true;
> + entry->is_protected = true;
> entry->key_color = rx->key->color;
> memcpy(entry->last_pn,
> rx->key->u.ccmp.rx_pn[queue],
> @@ -2296,6 +2297,9 @@ ieee80211_rx_h_defragment(struct ieee802
> sizeof(rx->key->u.gcmp.rx_pn[queue]));
> BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
> IEEE80211_GCMP_PN_LEN);
> + } else if (rx->key && ieee80211_has_protected(fc)) {
> + entry->is_protected = true;
> + entry->key_color = rx->key->color;
> }
> return RX_QUEUED;
> }
> @@ -2337,6 +2341,14 @@ ieee80211_rx_h_defragment(struct ieee802
> if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
> return RX_DROP_UNUSABLE;
> memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
> + } else if (entry->is_protected &&
> + (!rx->key || !ieee80211_has_protected(fc) ||
> + rx->key->color != entry->key_color)) {
> + /* Drop this as a mixed key or fragment cache attack, even
> + * if for TKIP Michael MIC should protect us, and WEP is a
> + * lost cause anyway.
> + */
> + return RX_DROP_UNUSABLE;
> }
>
> skb_pull(rx->skb, ieee80211_hdrlen(fc));
> --- a/net/mac80211/sta_info.h
> +++ b/net/mac80211/sta_info.h
> @@ -453,7 +453,8 @@ struct ieee80211_fragment_entry {
> u16 extra_len;
> u16 last_frag;
> u8 rx_queue;
> - bool check_sequential_pn; /* needed for CCMP/GCMP */
> + u8 check_sequential_pn:1, /* needed for CCMP/GCMP */
> + is_protected:1;
> u8 last_pn[6]; /* PN of the last fragment if CCMP was used */
> unsigned int key_color;
> };
>
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Attachment:
signature.asc
Description: Digital signature
