lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
34459512ff
linux-kernel-test/net
History
Johannes Berg 34459512ff mac80211: fix TKIP replay vulnerability 
Unlike CCMP, the presence or absence of the QoS
field doesn't change the encryption, only the
TID is used. When no QoS field is present, zero
is used as the TID value. This means that it is
possible for an attacker to take a QoS packet
with TID 0 and replay it as a non-QoS packet.

Unfortunately, mac80211 uses different IVs for
checking the validity of the packet's TKIP IV
when it checks TID 0 and when it checks non-QoS
packets. This means it is vulnerable to this
replay attack.

To fix this, use the same replay counter for
TID 0 and non-QoS packets by overriding the
rx->queue value to 0 if it is 16 (non-QoS).

This is a minimal fix for now. I caused this
issue in

commit 1411f9b531
Author: Johannes Berg <johannes@sipsolutions.net>
Date:   Thu Jul 10 10:11:02 2008 +0200

    mac80211: fix RX sequence number check

while fixing a sequence number issue (there,
a separate counter needs to be used).

Cc: stable@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-07-07 13:06:09 -04:00
..
9p Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-05-20 13:43:21 -07:00
802 snap: remove one synchronize_net() 2011-05-23 16:29:24 -04:00
8021q net:8021q:vlan.c Fix pr_info to just give the vlan fullname and version. 2011-05-26 14:55:51 -04:00
appletalk appletalk: Fix OOPS in atalk_release(). 2011-03-31 18:59:10 -07:00
atm atm: expose ATM device index in sysfs 2011-05-27 13:07:21 -04:00
ax25 ax25: Fix set-but-unused variable. 2011-04-17 00:48:31 -07:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-05-20 13:43:21 -07:00
bluetooth Bluetooth: Fix memory leak under page timeouts 2011-06-30 16:32:52 -03:00
bridge Merge branch 'pablo/nf-2.6-updates' of git://1984.lsi.us.es/net-2.6 2011-05-27 13:04:40 -04:00
caif caif: Plug memory leak for checksum error 2011-05-22 20:11:49 -04:00
can can: convert to %pK for kptr_restrict support 2011-05-26 14:23:35 -04:00
ceph libceph: fix ceph_osdc_alloc_request error checks 2011-05-03 09:28:13 -07:00
core net: Kill ratelimit.h dependency in linux/net.h 2011-05-27 13:41:33 -04:00
dcb net: dcbnl: Update copyright dates 2011-03-14 17:02:42 -07:00
dccp ipv4: Make caller provide flowi4 key to inet_csk_route_req(). 2011-05-18 18:32:03 -04:00
decnet Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-05-20 13:43:21 -07:00
dns_resolver DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076] 2011-03-04 09:56:19 +11:00
dsa Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-05-05 14:59:02 -07:00
econet econet: Fix set-but-unused variable. 2011-04-17 00:15:22 -07:00
ethernet
ieee802154 ieee802154: Remove hacked CFLAGS in net/ieee802154/Makefile 2011-04-12 15:33:23 -07:00
ipv4 inetpeer: fix race in unused_list manipulations 2011-05-27 13:39:11 -04:00
ipv6 net: convert %p usage to %pK 2011-05-24 01:13:12 -04:00
ipx ipx: fix ipx_release() 2011-03-21 18:16:39 -07:00
irda irda: Fix error propagation in ircomm_lmp_connect_response() 2011-05-19 18:58:39 -04:00
iucv convert old cpumask API into new one 2011-05-13 14:55:21 -04:00
key net: convert %p usage to %pK 2011-05-24 01:13:12 -04:00
l2tp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-05-20 13:43:21 -07:00
lapb
llc llc: Fix length check in llc_fixup_skb(). 2011-04-11 18:59:05 -07:00
mac80211 mac80211: fix TKIP replay vulnerability 2011-07-07 13:06:09 -04:00
netfilter IPVS: bug in ip_vs_ftp, same list heaad used in all netns. 2011-05-27 13:37:46 +02:00
netlabel Remove prefetch() from <linux/skbuff.h> and "netlabel_addrlist.h" 2011-05-22 21:43:41 -07:00
netlink net: convert %p usage to %pK 2011-05-24 01:13:12 -04:00
netrom NET: AX.25, NETROM, ROSE: Remove SOCK_DEBUG calls 2011-04-14 00:20:07 -07:00
packet net: convert %p usage to %pK 2011-05-24 01:13:12 -04:00
phonet net: convert %p usage to %pK 2011-05-24 01:13:12 -04:00
rds Fix common misspellings 2011-03-31 11:26:23 -03:00
rfkill net: rfkill: add generic gpio rfkill driver 2011-05-19 13:53:54 -04:00
rose NET: AX.25, NETROM, ROSE: Remove SOCK_DEBUG calls 2011-04-14 00:20:07 -07:00
rxrpc rxrpc: Fix set but unused variable 'usage' in rxrpc_get_transport() 2011-05-19 18:51:50 -04:00
sched sch_sfq: fix peek() implementation 2011-05-25 17:55:32 -04:00
sctp sctp: fix memory leak of the ASCONF queue when free asoc 2011-05-25 17:55:32 -04:00
sunrpc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-05-23 09:12:26 -07:00
tipc tipc: Revise timings used when sending link request messages 2011-05-10 16:04:02 -04:00
unix net: convert %p usage to %pK 2011-05-24 01:13:12 -04:00
wanrouter Fix common misspellings 2011-03-31 11:26:23 -03:00
wimax
wireless cfg80211: fix deadlock with rfkill/sched_scan by adding new mutex 2011-07-05 14:42:36 -04:00
x25 Fix common misspellings 2011-03-31 11:26:23 -03:00
xfrm Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-3.6 2011-05-11 14:26:58 -04:00
compat.c net: Add sendmmsg socket system call 2011-05-05 11:10:14 -07:00
Kconfig bpf: depends on MODULES 2011-04-29 10:20:53 -07:00
Makefile net: Enter net/ipv6/ even if CONFIG_IPV6=n 2011-03-07 12:50:52 -08:00
nonet.c
socket.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2011-05-20 13:43:21 -07:00
sysctl_net.c
TUNABLE