b43: Drop packets that we are not able to encrypt

We must not transmit packets we're not able to encrypt. This fixes a bug where in a tiny timeframe after machine resume packets can get sent unencrypted and might leak information. This also fixes three small resource leakages I spotted while fixing the security problem. Properly deallocate the DMA slots in any DMA allocation error path. Signed-off-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Michael Buesch <mb@bu3sch.de> 2008-01-23 15:44:15 -0500
committer: David S. Miller <davem@davemloft.net> 2008-01-31 22:26:45 -0500
commit: 09552ccd8277e6382097e93a40f7311a09449367 (patch)
tree: c6e9b3f46ab04a0f1a461699d01cd6dbaa71e9bb /drivers/net/wireless/b43/xmit.c
parent: 7be1bb6b798d506693d2d8668e801951996b5a4a (diff)
1 files changed, 27 insertions, 21 deletions
diff --git a/drivers/net/wireless/b43/xmit.c b/drivers/net/wireless/b43/xmit.c
index 7de2814d527e..7caa26eb4105 100644
--- a/drivers/net/wireless/b43/xmit.c
+++ b/drivers/net/wireless/b43/xmit.c
@@ -178,12 +178,12 @@ static u8 b43_calc_fallback_rate(u8 bitrate)
 }
 /* Generate a TX data header. */
-void b43_generate_txhdr(struct b43_wldev *dev,
+int b43_generate_txhdr(struct b43_wldev *dev,
-                        u8 *_txhdr,
+                       u8 *_txhdr,
-                        const unsigned char *fragment_data,
+                       const unsigned char *fragment_data,
-                        unsigned int fragment_len,
+                       unsigned int fragment_len,
-                        const struct ieee80211_tx_control *txctl,
+                       const struct ieee80211_tx_control *txctl,
-                        u16 cookie)
+                       u16 cookie)
 {
        struct b43_txhdr *txhdr = (struct b43_txhdr *)_txhdr;
        const struct b43_phy *phy = &dev->phy;
@@ -238,22 +238,27 @@ void b43_generate_txhdr(struct b43_wldev *dev,
                B43_WARN_ON(key_idx >= dev->max_nr_keys);
                key = &(dev->key[key_idx]);
-                if (likely(key->keyconf)) {
+                if (unlikely(!key->keyconf)) {
-                        /* This key is valid. Use it for encryption. */
+                        /* This key is invalid. This might only happen
+                         * in a short timeframe after machine resume before
-                        /* Hardware appends ICV. */
+                         * we were able to reconfigure keys.
-                        plcp_fragment_len += txctl->icv_len;
+                         * Drop this packet completely. Do not transmit it
+                         * unencrypted to avoid leaking information. */
-                        key_idx = b43_kidx_to_fw(dev, key_idx);
+                        return -ENOKEY;
-                        mac_ctl |= (key_idx << B43_TXH_MAC_KEYIDX_SHIFT) &
-                                   B43_TXH_MAC_KEYIDX;
-                        mac_ctl |= (key->algorithm << B43_TXH_MAC_KEYALG_SHIFT) &
-                                   B43_TXH_MAC_KEYALG;
-                        wlhdr_len = ieee80211_get_hdrlen(fctl);
-                        iv_len = min((size_t) txctl->iv_len,
-                                     ARRAY_SIZE(txhdr->iv));
-                        memcpy(txhdr->iv, ((u8 *) wlhdr) + wlhdr_len, iv_len);
                }
+                /* Hardware appends ICV. */
+                plcp_fragment_len += txctl->icv_len;
+                key_idx = b43_kidx_to_fw(dev, key_idx);
+                mac_ctl |= (key_idx << B43_TXH_MAC_KEYIDX_SHIFT) &
+                           B43_TXH_MAC_KEYIDX;
+                mac_ctl |= (key->algorithm << B43_TXH_MAC_KEYALG_SHIFT) &
+                           B43_TXH_MAC_KEYALG;
+                wlhdr_len = ieee80211_get_hdrlen(fctl);
+                iv_len = min((size_t) txctl->iv_len,
+                             ARRAY_SIZE(txhdr->iv));
+                memcpy(txhdr->iv, ((u8 *) wlhdr) + wlhdr_len, iv_len);
        }
        if (b43_is_old_txhdr_format(dev)) {
                b43_generate_plcp_hdr((struct b43_plcp_hdr4 *)(&txhdr->old_format.plcp),
@@ -411,6 +416,7 @@ void b43_generate_txhdr(struct b43_wldev *dev,
        txhdr->phy_ctl = cpu_to_le16(phy_ctl);
        txhdr->extra_ft = extra_ft;
+        return 0;
 }
 static s8 b43_rssi_postprocess(struct b43_wldev *dev,
author	Michael Buesch <mb@bu3sch.de>	2008-01-23 15:44:15 -0500
committer	David S. Miller <davem@davemloft.net>	2008-01-31 22:26:45 -0500
commit	09552ccd8277e6382097e93a40f7311a09449367 (patch)
tree	c6e9b3f46ab04a0f1a461699d01cd6dbaa71e9bb /drivers/net/wireless/b43/xmit.c
parent	7be1bb6b798d506693d2d8668e801951996b5a4a (diff)

diff --git a/drivers/net/wireless/b43/xmit.c b/drivers/net/wireless/b43/xmit.c index 7de2814d527e..7caa26eb4105 100644 --- a/drivers/net/wireless/b43/xmit.c +++ b/drivers/net/wireless/b43/xmit.c
@@ -178,12 +178,12 @@ static u8 b43_calc_fallback_rate(u8 bitrate)
178	}	178	}
179		179
180	/* Generate a TX data header. */	180	/* Generate a TX data header. */
181	void b43_generate_txhdr(struct b43_wldev *dev,	181	int b43_generate_txhdr(struct b43_wldev *dev,
182	u8 *_txhdr,	182	u8 *_txhdr,
183	const unsigned char *fragment_data,	183	const unsigned char *fragment_data,
184	unsigned int fragment_len,	184	unsigned int fragment_len,
185	const struct ieee80211_tx_control *txctl,	185	const struct ieee80211_tx_control *txctl,
186	u16 cookie)	186	u16 cookie)
187	{	187	{
188	struct b43_txhdr txhdr = (struct b43_txhdr )_txhdr;	188	struct b43_txhdr txhdr = (struct b43_txhdr )_txhdr;
189	const struct b43_phy *phy = &dev->phy;	189	const struct b43_phy *phy = &dev->phy;
@@ -238,22 +238,27 @@ void b43_generate_txhdr(struct b43_wldev *dev,
238	B43_WARN_ON(key_idx >= dev->max_nr_keys);	238	B43_WARN_ON(key_idx >= dev->max_nr_keys);
239	key = &(dev->key[key_idx]);	239	key = &(dev->key[key_idx]);
240		240
241	if (likely(key->keyconf)) {	241	if (unlikely(!key->keyconf)) {
242	/* This key is valid. Use it for encryption. */	242	/* This key is invalid. This might only happen
243		243	* in a short timeframe after machine resume before
244	/* Hardware appends ICV. */	244	* we were able to reconfigure keys.
245	plcp_fragment_len += txctl->icv_len;	245	* Drop this packet completely. Do not transmit it
246		246	* unencrypted to avoid leaking information. */
247	key_idx = b43_kidx_to_fw(dev, key_idx);	247	return -ENOKEY;
248	mac_ctl \|= (key_idx << B43_TXH_MAC_KEYIDX_SHIFT) &
249	B43_TXH_MAC_KEYIDX;
250	mac_ctl \|= (key->algorithm << B43_TXH_MAC_KEYALG_SHIFT) &
251	B43_TXH_MAC_KEYALG;
252	wlhdr_len = ieee80211_get_hdrlen(fctl);
253	iv_len = min((size_t) txctl->iv_len,
254	ARRAY_SIZE(txhdr->iv));
255	memcpy(txhdr->iv, ((u8 *) wlhdr) + wlhdr_len, iv_len);
256	}	248	}
		249
		250	/* Hardware appends ICV. */
		251	plcp_fragment_len += txctl->icv_len;
		252
		253	key_idx = b43_kidx_to_fw(dev, key_idx);
		254	mac_ctl \|= (key_idx << B43_TXH_MAC_KEYIDX_SHIFT) &
		255	B43_TXH_MAC_KEYIDX;
		256	mac_ctl \|= (key->algorithm << B43_TXH_MAC_KEYALG_SHIFT) &
		257	B43_TXH_MAC_KEYALG;
		258	wlhdr_len = ieee80211_get_hdrlen(fctl);
		259	iv_len = min((size_t) txctl->iv_len,
		260	ARRAY_SIZE(txhdr->iv));
		261	memcpy(txhdr->iv, ((u8 *) wlhdr) + wlhdr_len, iv_len);
257	}	262	}
258	if (b43_is_old_txhdr_format(dev)) {	263	if (b43_is_old_txhdr_format(dev)) {
259	b43_generate_plcp_hdr((struct b43_plcp_hdr4 *)(&txhdr->old_format.plcp),	264	b43_generate_plcp_hdr((struct b43_plcp_hdr4 *)(&txhdr->old_format.plcp),
@@ -411,6 +416,7 @@ void b43_generate_txhdr(struct b43_wldev *dev,
411	txhdr->phy_ctl = cpu_to_le16(phy_ctl);	416	txhdr->phy_ctl = cpu_to_le16(phy_ctl);
412	txhdr->extra_ft = extra_ft;	417	txhdr->extra_ft = extra_ft;
413		418
		419	return 0;
414	}	420	}
415		421
416	static s8 b43_rssi_postprocess(struct b43_wldev *dev,	422	static s8 b43_rssi_postprocess(struct b43_wldev *dev,