1 files changed, 22 insertions, 1 deletions
diff --git a/net/ieee80211/ieee80211_crypt_ccmp.c b/net/ieee80211/ieee80211_crypt_ccmp.c
index fdfe7704a469..35aa3426c3fa 100644
--- a/net/ieee80211/ieee80211_crypt_ccmp.c
+++ b/net/ieee80211/ieee80211_crypt_ccmp.c
@@ -263,6 +263,27 @@ static int ieee80211_ccmp_encrypt(struct sk_buff *skb, int hdr_len, void *priv)
        return 0;
 }
+/*
+ * deal with seq counter wrapping correctly.
+ * refer to timer_after() for jiffies wrapping handling
+ */
+static inline int ccmp_replay_check(u8 *pn_n, u8 *pn_o)
+{
+        u32 iv32_n, iv16_n;
+        u32 iv32_o, iv16_o;
+        iv32_n = (pn_n[0] << 24) | (pn_n[1] << 16) | (pn_n[2] << 8) | pn_n[3];
+        iv16_n = (pn_n[4] << 8) | pn_n[5];
+        iv32_o = (pn_o[0] << 24) | (pn_o[1] << 16) | (pn_o[2] << 8) | pn_o[3];
+        iv16_o = (pn_o[4] << 8) | pn_o[5];
+        if ((s32)iv32_n - (s32)iv32_o < 0 ||
+            (iv32_n == iv32_o && iv16_n <= iv16_o))
+                return 1;
+        return 0;
+}
 static int ieee80211_ccmp_decrypt(struct sk_buff *skb, int hdr_len, void *priv)
 {
        struct ieee80211_ccmp_data *key = priv;
@@ -315,7 +336,7 @@ static int ieee80211_ccmp_decrypt(struct sk_buff *skb, int hdr_len, void *priv)
        pn[5] = pos[0];
        pos += 8;
-        if (memcmp(pn, key->rx_pn, CCMP_PN_LEN) <= 0) {
+        if (ccmp_replay_check(pn, key->rx_pn)) {
                if (net_ratelimit()) {
                        printk(KERN_DEBUG "CCMP: replay detected: STA=" MAC_FMT
                               " previous PN %02x%02x%02x%02x%02x%02x "

diff --git a/net/ieee80211/ieee80211_crypt_ccmp.c b/net/ieee80211/ieee80211_crypt_ccmp.c index fdfe7704a469..35aa3426c3fa 100644 --- a/net/ieee80211/ieee80211_crypt_ccmp.c +++ b/net/ieee80211/ieee80211_crypt_ccmp.c
@@ -263,6 +263,27 @@ static int ieee80211_ccmp_encrypt(struct sk_buff skb, int hdr_len, void priv)
263	return 0;	263	return 0;
264	}	264	}
265		265
		266	/*
		267	* deal with seq counter wrapping correctly.
		268	* refer to timer_after() for jiffies wrapping handling
		269	*/
		270	static inline int ccmp_replay_check(u8 pn_n, u8 pn_o)
		271	{
		272	u32 iv32_n, iv16_n;
		273	u32 iv32_o, iv16_o;
		274
		275	iv32_n = (pn_n[0] << 24) \| (pn_n[1] << 16) \| (pn_n[2] << 8) \| pn_n[3];
		276	iv16_n = (pn_n[4] << 8) \| pn_n[5];
		277
		278	iv32_o = (pn_o[0] << 24) \| (pn_o[1] << 16) \| (pn_o[2] << 8) \| pn_o[3];
		279	iv16_o = (pn_o[4] << 8) \| pn_o[5];
		280
		281	if ((s32)iv32_n - (s32)iv32_o < 0 \|\|
		282	(iv32_n == iv32_o && iv16_n <= iv16_o))
		283	return 1;
		284	return 0;
		285	}
		286
266	static int ieee80211_ccmp_decrypt(struct sk_buff skb, int hdr_len, void priv)	287	static int ieee80211_ccmp_decrypt(struct sk_buff skb, int hdr_len, void priv)
267	{	288	{
268	struct ieee80211_ccmp_data *key = priv;	289	struct ieee80211_ccmp_data *key = priv;
@@ -315,7 +336,7 @@ static int ieee80211_ccmp_decrypt(struct sk_buff skb, int hdr_len, void priv)
315	pn[5] = pos[0];	336	pn[5] = pos[0];
316	pos += 8;	337	pos += 8;
317		338
318	if (memcmp(pn, key->rx_pn, CCMP_PN_LEN) <= 0) {	339	if (ccmp_replay_check(pn, key->rx_pn)) {
319	if (net_ratelimit()) {	340	if (net_ratelimit()) {
320	printk(KERN_DEBUG "CCMP: replay detected: STA=" MAC_FMT	341	printk(KERN_DEBUG "CCMP: replay detected: STA=" MAC_FMT
321	" previous PN %02x%02x%02x%02x%02x%02x "	342	" previous PN %02x%02x%02x%02x%02x%02x "