Commit 1b72bf5a authored by David S. Miller's avatar David S. Miller

Merge tag 'mac80211-for-davem-2017-10-16' of...

Merge tag 'mac80211-for-davem-2017-10-16' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211

Johannes Berg says:

====================
Just a single fix, for a WoWLAN-related part of CVE-2017-13080.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 823038ca fdf7cb41
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
* Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
* Copyright 2007-2008 Johannes Berg <johannes@sipsolutions.net> * Copyright 2007-2008 Johannes Berg <johannes@sipsolutions.net>
* Copyright 2013-2014 Intel Mobile Communications GmbH * Copyright 2013-2014 Intel Mobile Communications GmbH
* Copyright 2015 Intel Deutschland GmbH * Copyright 2015-2017 Intel Deutschland GmbH
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as * it under the terms of the GNU General Public License version 2 as
...@@ -620,9 +620,6 @@ int ieee80211_key_link(struct ieee80211_key *key, ...@@ -620,9 +620,6 @@ int ieee80211_key_link(struct ieee80211_key *key,
pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
idx = key->conf.keyidx; idx = key->conf.keyidx;
key->local = sdata->local;
key->sdata = sdata;
key->sta = sta;
mutex_lock(&sdata->local->key_mtx); mutex_lock(&sdata->local->key_mtx);
...@@ -633,6 +630,21 @@ int ieee80211_key_link(struct ieee80211_key *key, ...@@ -633,6 +630,21 @@ int ieee80211_key_link(struct ieee80211_key *key,
else else
old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]); old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
/*
* Silently accept key re-installation without really installing the
* new version of the key to avoid nonce reuse or replay issues.
*/
if (old_key && key->conf.keylen == old_key->conf.keylen &&
!memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) {
ieee80211_key_free_unused(key);
ret = 0;
goto out;
}
key->local = sdata->local;
key->sdata = sdata;
key->sta = sta;
increment_tailroom_need_count(sdata); increment_tailroom_need_count(sdata);
ieee80211_key_replace(sdata, sta, pairwise, old_key, key); ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
...@@ -648,6 +660,7 @@ int ieee80211_key_link(struct ieee80211_key *key, ...@@ -648,6 +660,7 @@ int ieee80211_key_link(struct ieee80211_key *key,
ret = 0; ret = 0;
} }
out:
mutex_unlock(&sdata->local->key_mtx); mutex_unlock(&sdata->local->key_mtx);
return ret; return ret;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment