From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Stanislaw Gruszka <sgruszka@redhat.com>,
"John W. Linville" <linville@tuxdriver.com>
Subject: [46/48] mac80211: fix rx->key NULL pointer dereference in promiscuous mode
Date: Mon, 16 Jan 2012 10:45:13 -0800 [thread overview]
Message-ID: <20120116184519.576410596@clark.kroah.org> (raw)
In-Reply-To: <20120116184527.GA11972@kroah.com>
3.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <sgruszka@redhat.com>
commit 1140afa862842ac3e56678693050760edc4ecde9 upstream.
Since:
commit 816c04fe7ef01dd9649f5ccfe796474db8708be5
Author: Christian Lamparter <chunkeey@googlemail.com>
Date: Sat Apr 30 15:24:30 2011 +0200
mac80211: consolidate MIC failure report handling
is possible to that we dereference rx->key == NULL when driver set
RX_FLAG_MMIC_STRIPPED and not RX_FLAG_IV_STRIPPED and we are in
promiscuous mode. This happen with rt73usb and rt61pci at least.
Before the commit we always check rx->key against NULL, so I assume
fix should be done in mac80211 (also mic_fail path has similar check).
References:
https://bugzilla.redhat.com/show_bug.cgi?id=769766
http://rt2x00.serialmonkey.com/pipermail/users_rt2x00.serialmonkey.com/2012-January/004395.html
Reported-by: Stuart D Gathman <stuart@gathman.org>
Reported-by: Kai Wohlfahrt <kai.scorpio@gmail.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/mac80211/wpa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -105,7 +105,7 @@ ieee80211_rx_h_michael_mic_verify(struct
if (status->flag & RX_FLAG_MMIC_ERROR)
goto mic_fail;
- if (!(status->flag & RX_FLAG_IV_STRIPPED))
+ if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key)
goto update_iv;
return RX_CONTINUE;
next prev parent reply other threads:[~2012-01-16 18:53 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-16 18:45 [00/48] 3.1.10-stable review Greg KH
2012-01-16 18:44 ` [01/48] mtdoops: fix the oops_page_used array size Greg KH
2012-01-16 18:44 ` [02/48] mtd: mtdoops: skip reading initially bad blocks Greg KH
2012-01-16 18:44 ` [03/48] mtd: mtd_blkdevs: dont increase open count on error path Greg KH
2012-01-16 18:44 ` [04/48] mtd: tests: stresstest: bail out if device has not enough eraseblocks Greg KH
2012-01-16 18:44 ` [05/48] drivers/rtc/interface.c: fix alarm rollover when day or month is out-of-range Greg KH
2012-01-16 18:44 ` [06/48] ext4: fix undefined behavior in ext4_fill_flex_info() Greg KH
2012-01-16 18:44 ` [07/48] ALSA: snd-usb-us122l: Delete calls to preempt_disable Greg KH
2012-01-16 18:44 ` [08/48] ALSA: HDA: Fix master control for Cirrus Logic 421X Greg KH
2012-01-16 18:44 ` [09/48] ALSA: HDA: Fix automute for Cirrus Logic 421x Greg KH
2012-01-16 18:44 ` [10/48] ALSA: ice1724 - Check for ac97 to avoid kernel oops Greg KH
2012-01-16 18:44 ` [11/48] ALSA: hda - Use auto-parser for HP laptops with cx20459 codec Greg KH
2012-01-16 18:44 ` [12/48] ALSA: hda - Return the error from get_wcaps_type() for invalid NIDs Greg KH
2012-01-16 18:44 ` [13/48] ALSA: hda - Fix the detection of "Loopback Mixing" control for VIA codecs Greg KH
2012-01-16 18:44 ` [14/48] ALSA: hda - Fix the lost power-setup of seconary pins after PM resume Greg KH
2012-01-16 18:44 ` [15/48] KVM guest: prevent tracing recursion with kvmclock Greg KH
2012-01-16 18:44 ` [16/48] KVM: x86: Prevent starting PIT timers in the absence of irqchip support Greg KH
2012-01-16 18:44 ` [17/48] KVM: Remove ability to assign a device without iommu support Greg KH
2012-01-16 18:44 ` [18/48] KVM: Device assignment permission checks Greg KH
2012-01-16 18:44 ` [19/48] [PATCH] ideapad: Check if acpi already handle backlight power to avoid a page fault Greg KH
2012-01-16 18:44 ` [20/48] drm/radeon/kms: workaround invalid AVI infoframe checksum issue Greg KH
2012-01-16 18:44 ` [21/48] drm/radeon/kms: disable writeback on pre-R300 asics Greg KH
2012-01-16 18:44 ` [22/48] radeon: Fix disabling PCI bus mastering on big endian hosts Greg KH
2012-01-16 18:44 ` [23/48] NFS: Retry mounting NFSROOT Greg KH
2012-01-16 18:44 ` [24/48] NFSv4.1: fix backchannel slotid off-by-one bug Greg KH
2012-01-16 18:44 ` [25/48] NFS - fix recent breakage to NFS error handling Greg KH
2012-01-16 18:44 ` [26/48] NFSv4: include bitmap in nfsv4 get acl data Greg KH
2012-01-16 18:44 ` [27/48] nfs: fix regression in handling of context= option in NFSv4 Greg KH
2012-01-16 18:44 ` [28/48] HID: bump maximum global item tag report size to 96 bytes Greg KH
2012-01-16 18:44 ` [29/48] HID: wiimote: Select INPUT_FF_MEMLESS Greg KH
2012-01-17 1:55 ` Paul Gortmaker
2012-01-17 6:37 ` David Herrmann
2012-01-17 8:33 ` Dan Carpenter
2012-01-17 17:09 ` Greg KH
2012-01-16 18:44 ` [30/48] UBI: fix missing scrub when there is a bit-flip Greg KH
2012-01-16 18:44 ` [31/48] UBI: fix use-after-free on error path Greg KH
2012-01-16 18:44 ` [32/48] PCI: Fix PCI_EXP_TYPE_RC_EC value Greg KH
2012-01-16 18:45 ` [33/48] PCI: msi: Disable msi interrupts when we initialize a pci device Greg KH
2012-01-16 18:45 ` [34/48] x86/PCI: Ignore CPU non-addressable _CRS reserved memory resources Greg KH
2012-01-16 18:45 ` [35/48] x86/PCI: amd: factor out MMCONFIG discovery Greg KH
2012-01-16 18:45 ` [36/48] x86/PCI: build amd_bus.o only when CONFIG_AMD_NB=y Greg KH
2012-01-16 18:45 ` [37/48] SCSI: mpt2sas: Release spinlock for the raid device list before blocking it Greg KH
2012-01-16 18:45 ` [38/48] SCSI: mpt2sas : Fix for memory allocation error for large host credits Greg KH
2012-01-16 18:45 ` [39/48] xen/xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX Greg KH
2012-01-16 18:45 ` [40/48] md/raid1: perform bad-block tests for WriteMostly devices too Greg KH
2012-01-16 18:45 ` [41/48] ima: free duplicate measurement memory Greg KH
2012-01-16 18:45 ` [42/48] ima: fix invalid memory reference Greg KH
2012-01-16 18:45 ` [43/48] slub: fix a possible memleak in __slab_alloc() Greg KH
2012-01-16 18:45 ` [44/48] PNP: work around Dell 1536/1546 BIOS MMCONFIG bug that breaks USB Greg KH
2012-01-16 18:45 ` [45/48] rtl8192se: Fix BUG caused by failure to check skb allocation Greg KH
2012-01-16 18:45 ` Greg KH [this message]
2012-01-16 18:45 ` [47/48] memcg: add mem_cgroup_replace_page_cache() to fix LRU issue Greg KH
2012-01-16 18:45 ` [48/48] x86: Fix mmap random address range Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120116184519.576410596@clark.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=sgruszka@redhat.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).