linux-stable/net/mac80211
Johannes Berg c8b3a6150d mac80211: check defrag PN against current frame
commit bf30ca922a upstream.

As pointed out by Mathy Vanhoef, we implement the RX PN check
on fragmented frames incorrectly - we check against the last
received PN prior to the new frame, rather than to the one in
this frame itself.

Prior patches addressed the security issue here, but in order
to be able to reason better about the code, fix it to really
compare against the current frame's PN, not the last stored
one.

Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20210511200110.bfbc340ff071.Id0b690e581da7d03d76df90bb0e3fd55930bc8a0@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-06-03 08:59:01 +02:00
..
aead_api.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aead_api.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aes_ccm.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aes_cmac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aes_cmac.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aes_gcm.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aes_gmac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
aes_gmac.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
agg-rx.c mac80211: add missing null return check from call to ieee80211_get_sband 2019-07-31 10:51:17 +02:00
agg-tx.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
cfg.c mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN 2021-04-21 12:56:15 +02:00
chan.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
debug.h
debugfs.c mac80211: AMPDU handling for rekeys with Extended Key ID 2019-07-26 13:29:10 +02:00
debugfs.h
debugfs_key.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-22 08:59:24 -04:00
debugfs_key.h
debugfs_netdev.c mac80211: fix txq null pointer dereference 2019-10-01 17:56:19 +02:00
debugfs_netdev.h
debugfs_sta.c mac80211: drop data frames without key on encrypted links 2020-04-01 11:02:01 +02:00
debugfs_sta.h
driver-ops.c mac80211: fix station rate table updates on assoc 2021-02-10 09:25:29 +01:00
driver-ops.h mac80211: pass the vif to cancel_remain_on_channel 2019-07-26 13:08:28 +02:00
ethtool.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 432 2019-06-05 17:37:16 +02:00
fils_aead.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
fils_aead.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
he.c mac80211: fix possible NULL pointerderef in obss pd code 2019-08-21 10:58:32 +02:00
ht.c mac80211: add support for the ADDBA extension element 2019-07-29 16:40:22 +02:00
ibss.c mac80211: fix double free in ibss_leave 2021-03-30 14:35:29 +02:00
ieee80211_i.h mac80211: check defrag PN against current frame 2021-06-03 08:59:01 +02:00
iface.c mac80211: add fragment cache to sta_info 2021-06-03 08:59:01 +02:00
Kconfig Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2019-07-08 20:57:08 -07:00
key.c mac80211: prevent mixed key and fragment cache attacks 2021-06-03 08:59:01 +02:00
key.h mac80211: prevent mixed key and fragment cache attacks 2021-06-03 08:59:01 +02:00
led.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
led.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
main.c mac80211: bail out if cipher schemes are invalid 2021-05-14 09:44:28 +02:00
Makefile
mesh.c mac80211: fix channel switch trigger from unknown mesh peer 2020-05-02 08:48:58 +02:00
mesh.h mac80211: implement HE support for mesh 2019-07-26 16:14:12 +02:00
mesh_hwmp.c mac80211: fix potential overflow when multiplying to u32 integers 2021-03-04 10:26:17 +01:00
mesh_pathtbl.c mac80211: mesh: fix mesh_pathtbl_init() error path 2020-12-21 13:27:03 +01:00
mesh_plink.c mac80211: implement HE support for mesh 2019-07-26 16:14:12 +02:00
mesh_ps.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
mesh_sync.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
michael.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
michael.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
mlme.c mac80211: clear the beacon's CRC after channel switch 2021-05-19 10:08:22 +02:00
ocb.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
offchannel.c mac80211: pass the vif to cancel_remain_on_channel 2019-07-26 13:08:28 +02:00
pm.c
rate.c mac80211: fix station rate table updates on assoc 2021-02-10 09:25:29 +01:00
rate.h mac80211: populate debugfs only after cfg80211 init 2020-04-29 16:33:18 +02:00
rc80211_minstrel.c mac80211: minstrel: fix tx status processing corner case 2020-11-24 13:29:23 +01:00
rc80211_minstrel.h mac80211: minstrel: remove deferred sampling code 2020-11-24 13:29:23 +01:00
rc80211_minstrel_debugfs.c
rc80211_minstrel_ht.c mac80211: populate debugfs only after cfg80211 init 2020-04-29 16:33:18 +02:00
rc80211_minstrel_ht.h mac80211: minstrel_ht: improve rate probing for devices with static fallback 2019-08-21 11:10:13 +02:00
rc80211_minstrel_ht_debugfs.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
rx.c mac80211: check defrag PN against current frame 2021-06-03 08:59:01 +02:00
scan.c mac80211: fix scan when operating on DFS channels in ETSI domains 2019-10-07 22:10:50 +02:00
spectmgmt.c mac80211: 160MHz with extended NSS BW in CSA 2021-02-13 13:52:55 +01:00
sta_info.c mac80211: add fragment cache to sta_info 2021-06-03 08:59:01 +02:00
sta_info.h mac80211: add fragment cache to sta_info 2021-06-03 08:59:01 +02:00
status.c mac80211: add ieee80211_is_any_nullfunc() 2020-05-10 10:31:32 +02:00
tdls.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-17 15:55:34 -07:00
tkip.c mac80211: Fix TKIP replay protection immediately after key setup 2020-02-05 21:22:46 +00:00
tkip.h Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2019-07-08 20:57:08 -07:00
trace.c
trace.h mac80211: pass the vif to cancel_remain_on_channel 2019-07-26 13:08:28 +02:00
trace_msg.h mac80211: Increase MAX_MSG_LEN 2019-03-29 11:20:36 +01:00
tx.c mac80211: fix TXQ AC confusion 2021-04-14 08:24:12 +02:00
util.c mac80211: fix wrong 160/80+80 MHz setting 2020-03-05 16:43:41 +01:00
vht.c mac80211: don't set set TDLS STA bandwidth wider than possible 2020-12-30 11:51:25 +01:00
wep.c Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2019-07-08 20:57:08 -07:00
wep.h Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2019-07-08 20:57:08 -07:00
wme.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
wme.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
wpa.c mac80211: check defrag PN against current frame 2021-06-03 08:59:01 +02:00
wpa.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00