mac80211: linearize SKBs as needed for crypto

author Johannes Berg <johannes.berg@intel.com>

Mon, 12 Mar 2012 12:49:14 +0000 (13:49 +0100)

committer John W. Linville <linville@tuxdriver.com>

Tue, 13 Mar 2012 18:54:17 +0000 (14:54 -0400)
author Johannes Berg <johannes.berg@intel.com>
Mon, 12 Mar 2012 12:49:14 +0000 (13:49 +0100)
committer John W. Linville <linville@tuxdriver.com>
Tue, 13 Mar 2012 18:54:17 +0000 (14:54 -0400)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c

index b38da13e2a88a27d4fe5ecef223a252fe6e5df17..53c88d145472a008c92b687899fcdd23cd34cffb 100644 (file)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1063,10 +1063,6 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
                 return RX_DROP_MONITOR;
         }
  
-       if (skb_linearize(rx->skb))
-               return RX_DROP_UNUSABLE;
-       /* the hdr variable is invalid now! */
-
         switch (rx->key->conf.cipher) {
         case WLAN_CIPHER_SUITE_WEP40:
         case WLAN_CIPHER_SUITE_WEP104:
@@ -1089,6 +1085,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
                 return RX_DROP_UNUSABLE;
         }
  
+       /* the hdr variable is invalid after the decrypt handlers */
+
         /* either the frame has been decrypted or will be dropped */
         status->flag |= RX_FLAG_DECRYPTED;
  
diff --git a/net/mac80211/wep.c b/net/mac80211/wep.c

index 5cd87ba11bb721a78ca2dc41324e49587671aca6..7aa31bbfaa3bf7387df2756bf94877cc15fdda9a 100644 (file)
--- a/net/mac80211/wep.c
+++ b/net/mac80211/wep.c
@@ -284,22 +284,27 @@ ieee80211_crypto_wep_decrypt(struct ieee80211_rx_data *rx)
         struct sk_buff *skb = rx->skb;
         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
+       __le16 fc = hdr->frame_control;
  
-       if (!ieee80211_is_data(hdr->frame_control) &&
-           !ieee80211_is_auth(hdr->frame_control))
+       if (!ieee80211_is_data(fc) && !ieee80211_is_auth(fc))
                 return RX_CONTINUE;
  
         if (!(status->flag & RX_FLAG_DECRYPTED)) {
+               if (skb_linearize(rx->skb))
+                       return RX_DROP_UNUSABLE;
                 if (rx->sta && ieee80211_wep_is_weak_iv(rx->skb, rx->key))
                         rx->sta->wep_weak_iv_count++;
                 if (ieee80211_wep_decrypt(rx->local, rx->skb, rx->key))
                         return RX_DROP_UNUSABLE;
         } else if (!(status->flag & RX_FLAG_IV_STRIPPED)) {
+               if (!pskb_may_pull(rx->skb, ieee80211_hdrlen(fc) + WEP_IV_LEN))
+                       return RX_DROP_UNUSABLE;
                 if (rx->sta && ieee80211_wep_is_weak_iv(rx->skb, rx->key))
                         rx->sta->wep_weak_iv_count++;
                 ieee80211_wep_remove_iv(rx->local, rx->skb, rx->key);
                 /* remove ICV */
-               skb_trim(rx->skb, rx->skb->len - WEP_ICV_LEN);
+               if (pskb_trim(rx->skb, rx->skb->len - WEP_ICV_LEN))
+                       return RX_DROP_UNUSABLE;
         }
  
         return RX_CONTINUE;
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c

index b758350919ff4641e69127a220f3c450fb07fcc9..0ae23c60968c0a9e82b214042ee5b01c4f27bb7d 100644 (file)
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -138,6 +138,10 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
         if (skb->len < hdrlen + MICHAEL_MIC_LEN)
                 return RX_DROP_UNUSABLE;
  
+       if (skb_linearize(rx->skb))
+               return RX_DROP_UNUSABLE;
+       hdr = (void *)skb->data;
+
         data = skb->data + hdrlen;
         data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
         key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
@@ -253,6 +257,11 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
         if (!rx->sta || skb->len - hdrlen < 12)
                 return RX_DROP_UNUSABLE;
  
+       /* it may be possible to optimize this a bit more */
+       if (skb_linearize(rx->skb))
+               return RX_DROP_UNUSABLE;
+       hdr = (void *)skb->data;
+
         /*
          * Let TKIP code verify IV, but skip decryption.
          * In the case where hardware checks the IV as well,
@@ -484,6 +493,14 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
         if (!rx->sta || data_len < 0)
                 return RX_DROP_UNUSABLE;
  
+       if (status->flag & RX_FLAG_DECRYPTED) {
+               if (!pskb_may_pull(rx->skb, hdrlen + CCMP_HDR_LEN))
+                       return RX_DROP_UNUSABLE;
+       } else {
+               if (skb_linearize(rx->skb))
+                       return RX_DROP_UNUSABLE;
+       }
+
         ccmp_hdr2pn(pn, skb->data + hdrlen);
  
         queue = rx->security_idx;
@@ -509,7 +526,8 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
         memcpy(key->u.ccmp.rx_pn[queue], pn, CCMP_PN_LEN);
  
         /* Remove CCMP header and MIC */
-       skb_trim(skb, skb->len - CCMP_MIC_LEN);
+       if (pskb_trim(skb, skb->len - CCMP_MIC_LEN))
+               return RX_DROP_UNUSABLE;
         memmove(skb->data + CCMP_HDR_LEN, skb->data, hdrlen);
         skb_pull(skb, CCMP_HDR_LEN);
  
@@ -609,6 +627,8 @@ ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx)
         if (!ieee80211_is_mgmt(hdr->frame_control))
                 return RX_CONTINUE;
  
+       /* management frames are already linear */
+
         if (skb->len < 24 + sizeof(*mmie))
                 return RX_DROP_UNUSABLE;
author	Johannes Berg <johannes.berg@intel.com>
	Mon, 12 Mar 2012 12:49:14 +0000 (13:49 +0100)
committer	John W. Linville <linville@tuxdriver.com>
	Tue, 13 Mar 2012 18:54:17 +0000 (14:54 -0400)
net/mac80211/rx.c		patch \| blob \| history
net/mac80211/wep.c		patch \| blob \| history
net/mac80211/wpa.c		patch \| blob \| history