linux/net/mac80211
Johannes Berg 34459512ff mac80211: fix TKIP replay vulnerability
Unlike CCMP, the presence or absence of the QoS
field doesn't change the encryption, only the
TID is used. When no QoS field is present, zero
is used as the TID value. This means that it is
possible for an attacker to take a QoS packet
with TID 0 and replay it as a non-QoS packet.

Unfortunately, mac80211 uses different IVs for
checking the validity of the packet's TKIP IV
when it checks TID 0 and when it checks non-QoS
packets. This means it is vulnerable to this
replay attack.

To fix this, use the same replay counter for
TID 0 and non-QoS packets by overriding the
rx->queue value to 0 if it is 16 (non-QoS).

This is a minimal fix for now. I caused this
issue in

commit 1411f9b531
Author: Johannes Berg <johannes@sipsolutions.net>
Date:   Thu Jul 10 10:11:02 2008 +0200

    mac80211: fix RX sequence number check

while fixing a sequence number issue (there,
a separate counter needs to be used).

Cc: stable@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-07-07 13:06:09 -04:00
..
aes_ccm.c mac80211: Fix warnings due to -Wunused-but-set-variable 2011-04-26 15:50:31 -04:00
aes_ccm.h
aes_cmac.c mac80211: Remove redundant checks for NULL before calls to crypto_free_cipher() 2010-11-15 13:26:11 -05:00
aes_cmac.h
agg-rx.c mac80211: sparse RCU annotations 2011-05-16 14:10:41 -04:00
agg-tx.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-05-20 13:43:21 -07:00
cfg.c nl80211: Move peer link state definition to nl80211 2011-05-16 14:10:49 -04:00
cfg.h
chan.c mac80211: fix channel type recalculation with HT and non-HT interfaces 2011-03-14 14:46:58 -04:00
debugfs_key.c mac80211: sparse RCU annotations 2011-05-16 14:10:41 -04:00
debugfs_key.h mac80211: support separate default keys 2010-12-13 15:23:29 -05:00
debugfs_netdev.c mac80211: fix SMPS debugfs locking 2011-04-20 16:05:59 -04:00
debugfs_netdev.h
debugfs_sta.c mac80211: fix debugfs printk format warning 2011-04-19 15:38:03 -04:00
debugfs_sta.h
debugfs.c mac80211: add basic support for WoWLAN 2011-05-05 14:59:20 -04:00
debugfs.h mac80211: refactor debugfs function generation code 2010-11-15 13:24:48 -05:00
driver-ops.h mac80211: add support for HW scheduled scan 2011-05-11 15:12:27 -04:00
driver-trace.c
driver-trace.h mac80211: add support for HW scheduled scan 2011-05-11 15:12:27 -04:00
event.c
ht.c mac80211: sparse RCU annotations 2011-05-16 14:10:41 -04:00
ibss.c mac80211: fix IBSS teardown race 2011-06-08 14:19:05 -04:00
ieee80211_i.h Revert "mac80211: Skip tailroom reservation for full HW-crypto devices" 2011-06-06 15:23:53 -04:00
iface.c mac80211: call dev_alloc_name before copying name to sdata 2011-06-03 14:22:06 -04:00
Kconfig mac80211: remove the dependency on crypto_blkcipher 2011-04-04 16:20:00 -04:00
key.c Revert "mac80211: Skip tailroom reservation for full HW-crypto devices" 2011-06-06 15:23:53 -04:00
key.h mac80211: sparse RCU annotations 2011-05-16 14:10:41 -04:00
led.c mac80211: remove stray extern 2011-01-05 16:07:12 -05:00
led.h mac80211: selective throughput LED trigger active 2010-12-22 14:33:37 -05:00
main.c mac80211: add missing rcu_barrier 2011-05-16 14:25:29 -04:00
Makefile
mesh_hwmp.c mac80211: sparse RCU annotations 2011-05-16 14:10:41 -04:00
mesh_pathtbl.c Merge ssh://master.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem 2011-05-24 16:47:54 -04:00
mesh_plink.c nl80211: Move peer link state definition to nl80211 2011-05-16 14:10:49 -04:00
mesh.c mac80211: mesh: move some code to make it static 2011-05-12 14:10:55 -04:00
mesh.h mac80211: annotate and fix RCU in mesh code 2011-05-16 14:25:29 -04:00
michael.c
michael.h
mlme.c Revert "mac80211: stop queues before rate control updation" 2011-06-07 14:03:08 -04:00
offchannel.c mac80211: Optimize scans on current operating channel. 2011-02-04 16:30:32 -05:00
pm.c mac80211: add basic support for WoWLAN 2011-05-05 14:59:20 -04:00
rate.c cfg80211/mac80211: improve ad-hoc multicast rate handling 2010-11-24 16:19:35 -05:00
rate.h
rc80211_minstrel_debugfs.c llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
rc80211_minstrel_ht_debugfs.c mac80211: disallow seeks in minstrel debug code 2010-09-16 10:33:17 +02:00
rc80211_minstrel_ht.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem 2011-05-16 19:32:19 -04:00
rc80211_minstrel_ht.h
rc80211_minstrel.c mac80211: fix contention time computation in minstrel, minstrel_ht 2011-05-12 14:10:48 -04:00
rc80211_minstrel.h
rc80211_pid_algo.c
rc80211_pid_debugfs.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2010-10-23 11:47:02 -07:00
rc80211_pid.h Fix common misspellings 2011-03-31 11:26:23 -03:00
rx.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem 2011-05-16 19:32:19 -04:00
scan.c mac80211: fix ie memory allocation for scheduled scans 2011-07-07 13:06:08 -04:00
spectmgmt.c
sta_info.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem 2011-05-16 19:32:19 -04:00
sta_info.h nl80211: Move peer link state definition to nl80211 2011-05-16 14:10:49 -04:00
status.c mac80211: allow low level drivers to report packet loss 2011-04-28 14:50:00 -04:00
tkip.c mac80211: remove the dependency on crypto_blkcipher 2011-04-04 16:20:00 -04:00
tkip.h mac80211: remove the dependency on crypto_blkcipher 2011-04-04 16:20:00 -04:00
tx.c Revert "mac80211: Skip tailroom reservation for full HW-crypto devices" 2011-06-06 15:23:53 -04:00
util.c mac80211: add basic support for WoWLAN 2011-05-05 14:59:20 -04:00
wep.c mac80211: remove the dependency on crypto_blkcipher 2011-04-04 16:20:00 -04:00
wep.h mac80211: remove the dependency on crypto_blkcipher 2011-04-04 16:20:00 -04:00
wme.c mac80211: cleanup select_queue 2010-12-22 15:44:22 -05:00
wme.h
work.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-05-20 13:43:21 -07:00
wpa.c mac80211: fix TKIP replay vulnerability 2011-07-07 13:06:09 -04:00
wpa.h