mac80211: simplify RX PN/IV handling

The current rx->queue value is slightly confusing.
It is set to 16 on non-QoS frames, including data,
and then used for sequence number and PN/IV checks.
Until recently, we had a TKIP IV checking bug that
had been introduced in 2008 to fix a seqno issue.
Before that, we always used TID 0 for checking the
PN or IV on non-QoS packets.

Go back to the old status for PN/IV checks using
the TID 0 counter for non-QoS by splitting up the
rx->queue value into "seqno_idx" and "security_idx"
in order to avoid confusion in the future. They
each have special rules on the value used for non-
QoS data frames.

Since the handling is now unified, also revert the
special TKIP handling from my patch
"mac80211: fix TKIP replay vulnerability".

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

1 files changed, 21 insertions, 12 deletions

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index b5493ecd1e93..e6dccc70931d 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -331,7 +331,7 @@ static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
 {
         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
-        int tid;
+        int tid, seqno_idx, security_idx;
 
         /* does the frame have a qos control field? */
         if (ieee80211_is_data_qos(hdr->frame_control)) {
@@ -340,6 +340,9 @@ static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
                 tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
                 if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
                         status->rx_flags |= IEEE80211_RX_AMSDU;
+
+                seqno_idx = tid;
+                security_idx = tid;
         } else {
                 /*
                  * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
@@ -352,10 +355,15 @@ static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
                  *
                  * We also use that counter for non-QoS STAs.
                  */
-                tid = NUM_RX_DATA_QUEUES - 1;
+                seqno_idx = NUM_RX_DATA_QUEUES;
+                security_idx = 0;
+                if (ieee80211_is_mgmt(hdr->frame_control))
+                        security_idx = NUM_RX_DATA_QUEUES;
+                tid = 0;
         }
 
-        rx->queue = tid;
+        rx->seqno_idx = seqno_idx;
+        rx->security_idx = security_idx;
         /* Set skb->priority to 1d tag if highest order bit of TID is not set.
          * For now, set skb->priority to 0 for other cases. */
         rx->skb->priority = (tid > 7) ? 0 : tid;
@@ -810,7 +818,7 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
         /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */
         if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) {
                 if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
-                             rx->sta->last_seq_ctrl[rx->queue] ==
+                             rx->sta->last_seq_ctrl[rx->seqno_idx] ==
                              hdr->seq_ctrl)) {
                         if (status->rx_flags & IEEE80211_RX_RA_MATCH) {
                                 rx->local->dot11FrameDuplicateCount++;
@@ -818,7 +826,7 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
                         }
                         return RX_DROP_UNUSABLE;
                 } else
-                        rx->sta->last_seq_ctrl[rx->queue] = hdr->seq_ctrl;
+                        rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
         }
 
         if (unlikely(rx->skb->len < 16)) {
@@ -1374,11 +1382,10 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
         if (frag == 0) {
                 /* This is the first fragment of a new frame. */
                 entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
-                                                 rx->queue, &(rx->skb));
+                                                 rx->seqno_idx, &(rx->skb));
                 if (rx->key && rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP &&
                     ieee80211_has_protected(fc)) {
-                        int queue = ieee80211_is_mgmt(fc) ?
-                                NUM_RX_DATA_QUEUES : rx->queue;
+                        int queue = rx->security_idx;
                         /* Store CCMP PN so that we can verify that the next
                          * fragment has a sequential PN value. */
                         entry->ccmp = 1;
@@ -1392,7 +1399,8 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
         /* This is a fragment for a frame that should already be pending in
          * fragment cache. Add this fragment to the end of the pending entry.
          */
-        entry = ieee80211_reassemble_find(rx->sdata, frag, seq, rx->queue, hdr);
+        entry = ieee80211_reassemble_find(rx->sdata, frag, seq,
+                                          rx->seqno_idx, hdr);
         if (!entry) {
                 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
                 return RX_DROP_MONITOR;
@@ -1412,8 +1420,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
                         if (pn[i])
                                 break;
                 }
-                queue = ieee80211_is_mgmt(fc) ?
-                        NUM_RX_DATA_QUEUES : rx->queue;
+                queue = rx->security_idx;
                 rpn = rx->key->u.ccmp.rx_pn[queue];
                 if (memcmp(pn, rpn, CCMP_PN_LEN))
                         return RX_DROP_UNUSABLE;
@@ -2590,7 +2597,9 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
                 .sta = sta,
                 .sdata = sta->sdata,
                 .local = sta->local,
-                .queue = tid,
+                /* This is OK -- must be QoS data frame */
+                .security_idx = tid,
+                .seqno_idx = tid,
                 .flags = 0,
         };
         struct tid_ampdu_rx *tid_agg_rx;