1 files changed, 48 insertions, 14 deletions
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index f1765de2f4bf..9dc3b5f26e80 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -87,42 +87,76 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
-        /* No way to verify the MIC if the hardware stripped it */
+        /*
-        if (status->flag & RX_FLAG_MMIC_STRIPPED)
+         * it makes no sense to check for MIC errors on anything other
+         * than data frames.
+         */
+        if (!ieee80211_is_data_present(hdr->frame_control))
+                return RX_CONTINUE;
+        /*
+         * No way to verify the MIC if the hardware stripped it or
+         * the IV with the key index. In this case we have solely rely
+         * on the driver to set RX_FLAG_MMIC_ERROR in the event of a
+         * MIC failure report.
+         */
+        if (status->flag & (RX_FLAG_MMIC_STRIPPED | RX_FLAG_IV_STRIPPED)) {
+                if (status->flag & RX_FLAG_MMIC_ERROR)
+                        goto mic_fail;
+                if (!(status->flag & RX_FLAG_IV_STRIPPED))
+                        goto update_iv;
                return RX_CONTINUE;
+        }
+        /*
+         * Some hardware seems to generate Michael MIC failure reports; even
+         * though, the frame was not encrypted with TKIP and therefore has no
+         * MIC. Ignore the flag them to avoid triggering countermeasures.
+         */
        if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP ||
-            !ieee80211_has_protected(hdr->frame_control) ||
+            !(status->flag & RX_FLAG_DECRYPTED))
-            !ieee80211_is_data_present(hdr->frame_control))
                return RX_CONTINUE;
+        if (rx->sdata->vif.type == NL80211_IFTYPE_AP && rx->key->conf.keyidx) {
+                /*
+                 * APs with pairwise keys should never receive Michael MIC
+                 * errors for non-zero keyidx because these are reserved for
+                 * group keys and only the AP is sending real multicast
+                 * frames in the BSS. (
+                 */
+                return RX_DROP_UNUSABLE;
+        }
+        if (status->flag & RX_FLAG_MMIC_ERROR)
+                goto mic_fail;
        hdrlen = ieee80211_hdrlen(hdr->frame_control);
        if (skb->len < hdrlen + MICHAEL_MIC_LEN)
                return RX_DROP_UNUSABLE;
        data = skb->data + hdrlen;
        data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
        key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
        michael_mic(key, hdr, data, data_len, mic);
-        if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0) {
+        if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0)
-                if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
+                goto mic_fail;
-                        return RX_DROP_UNUSABLE;
-                mac80211_ev_michael_mic_failure(rx->sdata, rx->key->conf.keyidx,
-                                                (void *) skb->data, NULL,
-                                                GFP_ATOMIC);
-                return RX_DROP_UNUSABLE;
-        }
        /* remove Michael MIC from payload */
        skb_trim(skb, skb->len - MICHAEL_MIC_LEN);
+update_iv:
        /* update IV in key information to be able to detect replays */
        rx->key->u.tkip.rx[rx->queue].iv32 = rx->tkip_iv32;
        rx->key->u.tkip.rx[rx->queue].iv16 = rx->tkip_iv16;
        return RX_CONTINUE;
+mic_fail:
+        mac80211_ev_michael_mic_failure(rx->sdata, rx->key->conf.keyidx,
+                                        (void *) skb->data, NULL, GFP_ATOMIC);
+        return RX_DROP_UNUSABLE;
 }

diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c index f1765de2f4bf..9dc3b5f26e80 100644 --- a/net/mac80211/wpa.c +++ b/net/mac80211/wpa.c
@@ -87,42 +87,76 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
87	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);	87	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
88	struct ieee80211_hdr hdr = (struct ieee80211_hdr )skb->data;	88	struct ieee80211_hdr hdr = (struct ieee80211_hdr )skb->data;
89		89
90	/* No way to verify the MIC if the hardware stripped it */	90	/*
91	if (status->flag & RX_FLAG_MMIC_STRIPPED)	91	* it makes no sense to check for MIC errors on anything other
		92	* than data frames.
		93	*/
		94	if (!ieee80211_is_data_present(hdr->frame_control))
		95	return RX_CONTINUE;
		96
		97	/*
		98	* No way to verify the MIC if the hardware stripped it or
		99	* the IV with the key index. In this case we have solely rely
		100	* on the driver to set RX_FLAG_MMIC_ERROR in the event of a
		101	* MIC failure report.
		102	*/
		103	if (status->flag & (RX_FLAG_MMIC_STRIPPED \| RX_FLAG_IV_STRIPPED)) {
		104	if (status->flag & RX_FLAG_MMIC_ERROR)
		105	goto mic_fail;
		106
		107	if (!(status->flag & RX_FLAG_IV_STRIPPED))
		108	goto update_iv;
		109
92	return RX_CONTINUE;	110	return RX_CONTINUE;
		111	}
93		112
		113	/*
		114	* Some hardware seems to generate Michael MIC failure reports; even
		115	* though, the frame was not encrypted with TKIP and therefore has no
		116	* MIC. Ignore the flag them to avoid triggering countermeasures.
		117	*/
94	if (!rx->key \|\| rx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP \|\|	118	if (!rx->key \|\| rx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP \|\|
95	!ieee80211_has_protected(hdr->frame_control) \|\|	119	!(status->flag & RX_FLAG_DECRYPTED))
96	!ieee80211_is_data_present(hdr->frame_control))
97	return RX_CONTINUE;	120	return RX_CONTINUE;
98		121
		122	if (rx->sdata->vif.type == NL80211_IFTYPE_AP && rx->key->conf.keyidx) {
		123	/*
		124	* APs with pairwise keys should never receive Michael MIC
		125	* errors for non-zero keyidx because these are reserved for
		126	* group keys and only the AP is sending real multicast
		127	* frames in the BSS. (
		128	*/
		129	return RX_DROP_UNUSABLE;
		130	}
		131
		132	if (status->flag & RX_FLAG_MMIC_ERROR)
		133	goto mic_fail;
		134
99	hdrlen = ieee80211_hdrlen(hdr->frame_control);	135	hdrlen = ieee80211_hdrlen(hdr->frame_control);
100	if (skb->len < hdrlen + MICHAEL_MIC_LEN)	136	if (skb->len < hdrlen + MICHAEL_MIC_LEN)
101	return RX_DROP_UNUSABLE;	137	return RX_DROP_UNUSABLE;
102		138
103	data = skb->data + hdrlen;	139	data = skb->data + hdrlen;
104	data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;	140	data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
105
106	key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];	141	key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
107	michael_mic(key, hdr, data, data_len, mic);	142	michael_mic(key, hdr, data, data_len, mic);
108	if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0) {	143	if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0)
109	if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))	144	goto mic_fail;
110	return RX_DROP_UNUSABLE;
111
112	mac80211_ev_michael_mic_failure(rx->sdata, rx->key->conf.keyidx,
113	(void *) skb->data, NULL,
114	GFP_ATOMIC);
115	return RX_DROP_UNUSABLE;
116	}
117		145
118	/* remove Michael MIC from payload */	146	/* remove Michael MIC from payload */
119	skb_trim(skb, skb->len - MICHAEL_MIC_LEN);	147	skb_trim(skb, skb->len - MICHAEL_MIC_LEN);
120		148
		149	update_iv:
121	/* update IV in key information to be able to detect replays */	150	/* update IV in key information to be able to detect replays */
122	rx->key->u.tkip.rx[rx->queue].iv32 = rx->tkip_iv32;	151	rx->key->u.tkip.rx[rx->queue].iv32 = rx->tkip_iv32;
123	rx->key->u.tkip.rx[rx->queue].iv16 = rx->tkip_iv16;	152	rx->key->u.tkip.rx[rx->queue].iv16 = rx->tkip_iv16;
124		153
125	return RX_CONTINUE;	154	return RX_CONTINUE;
		155
		156	mic_fail:
		157	mac80211_ev_michael_mic_failure(rx->sdata, rx->key->conf.keyidx,
		158	(void *) skb->data, NULL, GFP_ATOMIC);
		159	return RX_DROP_UNUSABLE;
126	}	160	}
127		161
128		162