Sometimes when reporting a MIC failure rx->key may be unset. This
code path is hit when receiving a packet meant for a multicast
address, and decryption is performed in HW.
Fortunately, the failing key_idx is not used for anything up to
(and including) usermode, so we allow ourselves to drop it on the
way up when a key cannot be retrieved.
Signed-off-by: Arik Nemtsov <[email protected]>
---
We now discard invalid key indices on the way up, as Johannes
suggested privately.
net/mac80211/wpa.c | 8 +++++++-
net/wireless/nl80211.c | 3 ++-
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 9dc3b5f..d91c1a2 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -154,7 +154,13 @@ update_iv:
return RX_CONTINUE;
mic_fail:
- mac80211_ev_michael_mic_failure(rx->sdata, rx->key->conf.keyidx,
+ /*
+ * In some cases the key can be unset - e.g. a multicast packet, in
+ * a driver that supports HW encryption. Send up the key idx only if
+ * the key is set.
+ */
+ mac80211_ev_michael_mic_failure(rx->sdata,
+ rx->key ? rx->key->conf.keyidx : -1,
(void *) skb->data, NULL, GFP_ATOMIC);
return RX_DROP_UNUSABLE;
}
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index ec83f41..785549d 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -6464,7 +6464,8 @@ void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
if (addr)
NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, addr);
NLA_PUT_U32(msg, NL80211_ATTR_KEY_TYPE, key_type);
- NLA_PUT_U8(msg, NL80211_ATTR_KEY_IDX, key_id);
+ if (key_id != -1)
+ NLA_PUT_U8(msg, NL80211_ATTR_KEY_IDX, key_id);
if (tsc)
NLA_PUT(msg, NL80211_ATTR_KEY_SEQ, 6, tsc);
--
1.7.4.1
On Wed, 2011-06-22 at 23:41 +0300, Arik Nemtsov wrote:
> Sometimes when reporting a MIC failure rx->key may be unset. This
> code path is hit when receiving a packet meant for a multicast
> address, and decryption is performed in HW.
>
> Fortunately, the failing key_idx is not used for anything up to
> (and including) usermode, so we allow ourselves to drop it on the
> way up when a key cannot be retrieved.
>
> Signed-off-by: Arik Nemtsov <[email protected]>
It'd be nice to also update the docs for the cfg80211 function to
document the -1 special case, but other than that:
Reviewed-by: Johannes Berg <[email protected]>
johannes
On Wed, Jun 22, 2011 at 23:52, Johannes Berg <[email protected]> wrote:
> On Wed, 2011-06-22 at 23:41 +0300, Arik Nemtsov wrote:
>> Sometimes when reporting a MIC failure rx->key may be unset. This
>> code path is hit when receiving a packet meant for a multicast
>> address, and decryption is performed in HW.
>>
>> Fortunately, the failing key_idx is not used for anything up to
>> (and including) usermode, so we allow ourselves to drop it on the
>> way up when a key cannot be retrieved.
>>
>> Signed-off-by: Arik Nemtsov <[email protected]>
>
> It'd be nice to also update the docs for the cfg80211 function to
> document the -1 special case, but other than that:
Sure why not? :)
On Sat, 2011-06-18 at 21:45 +0300, Arik Nemtsov wrote:
> Sometimes when reporting a MIC failure rx->key may be unset. This
> code path is hit when receiving a packet meant for a multicast
> address, and decryption is performed in HW.
>
> Fortunately, the failing key_idx is not used for anything up to
> (and including) usermode, so we allow ourselves to set a bogus one
> when a key cannot be retrieved.
I guess we don't have a choice, but for the record I don't really like
lying. I'd rather also adjust nl80211 to not have the attribute in this
case, rather than an attribute with a bogus value.
johannes