diff options
Diffstat (limited to 'net/mac80211')
| -rw-r--r-- | net/mac80211/scan.c | 3 | ||||
| -rw-r--r-- | net/mac80211/wpa.c | 16 |
2 files changed, 15 insertions, 4 deletions
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c index 58ffa7d069c7..669d2e32efb6 100644 --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c | |||
| @@ -877,7 +877,8 @@ int ieee80211_request_sched_scan_start(struct ieee80211_sub_if_data *sdata, | |||
| 877 | for (i = 0; i < IEEE80211_NUM_BANDS; i++) { | 877 | for (i = 0; i < IEEE80211_NUM_BANDS; i++) { |
| 878 | local->sched_scan_ies.ie[i] = kzalloc(2 + | 878 | local->sched_scan_ies.ie[i] = kzalloc(2 + |
| 879 | IEEE80211_MAX_SSID_LEN + | 879 | IEEE80211_MAX_SSID_LEN + |
| 880 | local->scan_ies_len, | 880 | local->scan_ies_len + |
| 881 | req->ie_len, | ||
| 881 | GFP_KERNEL); | 882 | GFP_KERNEL); |
| 882 | if (!local->sched_scan_ies.ie[i]) { | 883 | if (!local->sched_scan_ies.ie[i]) { |
| 883 | ret = -ENOMEM; | 884 | ret = -ENOMEM; |
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c index d91c1a26630d..8f6a302d2ac3 100644 --- a/net/mac80211/wpa.c +++ b/net/mac80211/wpa.c | |||
| @@ -86,6 +86,11 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx) | |||
| 86 | struct sk_buff *skb = rx->skb; | 86 | struct sk_buff *skb = rx->skb; |
| 87 | struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); | 87 | struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); |
| 88 | struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; | 88 | struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; |
| 89 | int queue = rx->queue; | ||
| 90 | |||
| 91 | /* otherwise, TKIP is vulnerable to TID 0 vs. non-QoS replays */ | ||
| 92 | if (rx->queue == NUM_RX_DATA_QUEUES - 1) | ||
| 93 | queue = 0; | ||
| 89 | 94 | ||
| 90 | /* | 95 | /* |
| 91 | * it makes no sense to check for MIC errors on anything other | 96 | * it makes no sense to check for MIC errors on anything other |
| @@ -148,8 +153,8 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx) | |||
| 148 | 153 | ||
| 149 | update_iv: | 154 | update_iv: |
| 150 | /* update IV in key information to be able to detect replays */ | 155 | /* update IV in key information to be able to detect replays */ |
| 151 | rx->key->u.tkip.rx[rx->queue].iv32 = rx->tkip_iv32; | 156 | rx->key->u.tkip.rx[queue].iv32 = rx->tkip_iv32; |
| 152 | rx->key->u.tkip.rx[rx->queue].iv16 = rx->tkip_iv16; | 157 | rx->key->u.tkip.rx[queue].iv16 = rx->tkip_iv16; |
| 153 | 158 | ||
| 154 | return RX_CONTINUE; | 159 | return RX_CONTINUE; |
| 155 | 160 | ||
| @@ -241,6 +246,11 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx) | |||
| 241 | struct ieee80211_key *key = rx->key; | 246 | struct ieee80211_key *key = rx->key; |
| 242 | struct sk_buff *skb = rx->skb; | 247 | struct sk_buff *skb = rx->skb; |
| 243 | struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); | 248 | struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); |
| 249 | int queue = rx->queue; | ||
| 250 | |||
| 251 | /* otherwise, TKIP is vulnerable to TID 0 vs. non-QoS replays */ | ||
| 252 | if (rx->queue == NUM_RX_DATA_QUEUES - 1) | ||
| 253 | queue = 0; | ||
| 244 | 254 | ||
| 245 | hdrlen = ieee80211_hdrlen(hdr->frame_control); | 255 | hdrlen = ieee80211_hdrlen(hdr->frame_control); |
| 246 | 256 | ||
| @@ -261,7 +271,7 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx) | |||
| 261 | res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm, | 271 | res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm, |
| 262 | key, skb->data + hdrlen, | 272 | key, skb->data + hdrlen, |
| 263 | skb->len - hdrlen, rx->sta->sta.addr, | 273 | skb->len - hdrlen, rx->sta->sta.addr, |
| 264 | hdr->addr1, hwaccel, rx->queue, | 274 | hdr->addr1, hwaccel, queue, |
| 265 | &rx->tkip_iv32, | 275 | &rx->tkip_iv32, |
| 266 | &rx->tkip_iv16); | 276 | &rx->tkip_iv16); |
| 267 | if (res != TKIP_DECRYPT_OK) | 277 | if (res != TKIP_DECRYPT_OK) |