linux/net/mac80211
Ronald Wahl 4f031fa9f1 mac80211: Fix regression that triggers a kernel BUG with CCMP
Commit 7ec7c4a9a6 (mac80211: port CCMP to
cryptoapi's CCM driver) introduced a regression when decrypting empty
packets (data_len == 0). This will lead to backtraces like:

(scatterwalk_start) from [<c01312f4>] (scatterwalk_map_and_copy+0x2c/0xa8)
(scatterwalk_map_and_copy) from [<c013a5a0>] (crypto_ccm_decrypt+0x7c/0x25c)
(crypto_ccm_decrypt) from [<c032886c>] (ieee80211_aes_ccm_decrypt+0x160/0x170)
(ieee80211_aes_ccm_decrypt) from [<c031c628>] (ieee80211_crypto_ccmp_decrypt+0x1ac/0x238)
(ieee80211_crypto_ccmp_decrypt) from [<c032ef28>] (ieee80211_rx_handlers+0x870/0x1d24)
(ieee80211_rx_handlers) from [<c0330c7c>] (ieee80211_prepare_and_rx_handle+0x8a0/0x91c)
(ieee80211_prepare_and_rx_handle) from [<c0331260>] (ieee80211_rx+0x568/0x730)
(ieee80211_rx) from [<c01d3054>] (__carl9170_rx+0x94c/0xa20)
(__carl9170_rx) from [<c01d3324>] (carl9170_rx_stream+0x1fc/0x320)
(carl9170_rx_stream) from [<c01cbccc>] (carl9170_usb_tasklet+0x80/0xc8)
(carl9170_usb_tasklet) from [<c00199dc>] (tasklet_hi_action+0x88/0xcc)
(tasklet_hi_action) from [<c00193c8>] (__do_softirq+0xcc/0x200)
(__do_softirq) from [<c0019734>] (irq_exit+0x80/0xe0)
(irq_exit) from [<c0009c10>] (handle_IRQ+0x64/0x80)
(handle_IRQ) from [<c000c3a0>] (__irq_svc+0x40/0x4c)
(__irq_svc) from [<c0009d44>] (arch_cpu_idle+0x2c/0x34)

Such packets can appear for example when using the carl9170 wireless driver
because hardware sometimes generates garbage when the internal FIFO overruns.

This patch adds an additional length check.

Cc: stable@vger.kernel.org
Fixes: 7ec7c4a9a6 ("mac80211: port CCMP to cryptoapi's CCM driver")
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Ronald Wahl <ronald.wahl@raritan.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2014-11-06 12:42:22 +01:00
..
Kconfig mac80211: remove PID rate control 2014-06-23 11:05:23 +02:00
Makefile cfg80211: make ethtool the driver's responsibility 2014-06-23 11:05:33 +02:00
aes_ccm.c mac80211: Fix regression that triggers a kernel BUG with CCMP 2014-11-06 12:42:22 +01:00
aes_ccm.h mac80211: port CCMP to cryptoapi's CCM driver 2013-10-11 15:38:20 +02:00
aes_cmac.c mac80211: fix checkpatch errors 2013-12-18 10:33:06 +01:00
aes_cmac.h mac80211: fix checkpatch errors 2013-12-18 10:33:06 +01:00
agg-rx.c mac80211: fix offloaded BA session traffic after hw restart 2014-09-03 13:40:38 +02:00
agg-tx.c mac80211: introduce refcount for queue_stop_reasons 2014-06-23 14:22:25 +02:00
cfg.c mac80211: return the vif's chandef in ieee80211_cfg_get_channel() 2014-10-09 11:01:58 +02:00
cfg.h mac80211: make cfg80211 ops and privid const 2014-02-04 21:48:21 +01:00
chan.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless 2014-09-08 11:14:56 -04:00
debug.h mac80211: process the CSA frame for mesh accordingly 2013-10-28 15:05:28 +01:00
debugfs.c mac80211: replace SMPS hw flags with wiphy feature bits 2014-09-11 13:37:02 +02:00
debugfs.h mac80211: fix some missing includes 2014-04-09 14:49:43 +02:00
debugfs_key.c mac80211: move sdata debugfs dir to vif 2013-03-18 20:10:04 +01:00
debugfs_key.h mac80211: support separate default keys 2010-12-13 15:23:29 -05:00
debugfs_netdev.c mac80211: replace SMPS hw flags with wiphy feature bits 2014-09-11 13:37:02 +02:00
debugfs_netdev.h mac80211: fix some missing includes 2014-04-09 14:49:43 +02:00
debugfs_sta.c This time, I have some rate minstrel improvements, support for a very 2014-09-15 14:51:23 -04:00
debugfs_sta.h
driver-ops.h mac80211: extend set_coverage_class signature 2014-09-05 13:54:07 +02:00
ethtool.c cfg80211: make ethtool the driver's responsibility 2014-06-23 11:05:33 +02:00
event.c
ht.c mac80211: set Rx highest rate in ht_cap 2014-07-21 12:14:04 +02:00
ibss.c mac80211: use secondary channel offset IE also beacons during CSA 2014-10-29 16:37:45 +01:00
ieee80211_i.h mac80211: use secondary channel offset IE also beacons during CSA 2014-10-29 16:37:45 +01:00
iface.c mac80211: properly flush delayed scan work on interface removal 2014-10-30 15:48:32 +01:00
key.c mac80211: clear key material when freeing keys 2014-09-11 12:07:23 +02:00
key.h mac80211: free all AP/VLAN keys at once 2013-12-16 11:29:48 +01:00
led.c mac80211: use oneshot blink API for LED triggers 2013-08-01 10:48:49 +02:00
led.h mac80211: use oneshot blink API for LED triggers 2013-08-01 10:48:49 +02:00
main.c mac80211: add Intel Mobile Communications copyright 2014-09-05 13:52:06 +02:00
mesh.c mac80211: use secondary channel offset IE also beacons during CSA 2014-10-29 16:37:45 +01:00
mesh.h mac80211: use put_unaligned_le in mesh when necessary 2013-11-25 20:51:55 +01:00
mesh_hwmp.c mac80211: remove unnecessary break after return 2014-07-15 16:27:00 -07:00
mesh_pathtbl.c mac80211: Replace rcu_dereference() with rcu_access_pointer() 2014-08-27 12:14:10 +02:00
mesh_plink.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless 2014-09-08 11:14:56 -04:00
mesh_ps.c mac80211: clear sequence/fragment number in QoS-null frames 2014-03-05 15:49:54 +01:00
mesh_sync.c mac80211: remove BUG_ON usage 2014-04-29 17:59:27 +02:00
michael.c
michael.h mac80211: fix some missing includes 2014-04-09 14:49:43 +02:00
mlme.c mac80211: schedule the actual switch of the station before CSA count 0 2014-10-29 16:37:54 +01:00
offchannel.c mac80211: introduce refcount for queue_stop_reasons 2014-06-23 14:22:25 +02:00
pm.c mac80211: introduce refcount for queue_stop_reasons 2014-06-23 14:22:25 +02:00
rate.c mac80211: fix typo in starting baserate for rts_cts_rate_idx 2014-10-14 11:16:16 +02:00
rate.h mac80211: remove PID rate control 2014-06-23 11:05:23 +02:00
rc80211_minstrel.c mac80211: Unify rate statistic variables between Minstrel & Minstrel_HT 2014-09-11 12:08:31 +02:00
rc80211_minstrel.h mac80211: Unify rate statistic variables between Minstrel & Minstrel_HT 2014-09-11 12:08:31 +02:00
rc80211_minstrel_debugfs.c mac80211: minstrels: fix buffer overflow in HT debugfs rc_stats 2014-10-20 16:37:01 +02:00
rc80211_minstrel_ht.c mac80211: improve minstrel_ht rate sorting by throughput & probability 2014-09-11 12:10:14 +02:00
rc80211_minstrel_ht.h mac80211: improve minstrel_ht rate sorting by throughput & probability 2014-09-11 12:10:14 +02:00
rc80211_minstrel_ht_debugfs.c mac80211: minstrels: fix buffer overflow in HT debugfs rc_stats 2014-10-20 16:37:01 +02:00
rx.c mac80211: fix use-after-free in defragmentation 2014-11-03 14:28:50 +01:00
scan.c mac80211: add Intel Mobile Communications copyright 2014-09-05 13:52:06 +02:00
spectmgmt.c mac80211: use secondary channel offset IE also beacons during CSA 2014-10-29 16:37:45 +01:00
sta_info.c Merge tag 'master-2014-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next 2014-09-26 15:39:24 -04:00
sta_info.h mac80211: fix warning on htmldocs for last_tdls_pkt_time 2014-10-09 10:33:29 +02:00
status.c mac80211: add TDLS connection timeout 2014-09-11 12:18:47 +02:00
tdls.c mac80211: set network header in TDLS frames 2014-09-11 12:25:22 +02:00
tkip.c mac80211: fix checkpatch errors 2013-12-18 10:33:06 +01:00
tkip.h mac80211: fix TKIP races, make API easier to use 2011-07-08 11:11:19 -04:00
trace.c mac80211: trace debug messages 2012-06-24 11:33:18 +02:00
trace.h mac80211: extend set_coverage_class signature 2014-09-05 13:54:07 +02:00
tx.c Merge tag 'master-2014-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next 2014-09-26 15:39:24 -04:00
util.c mac80211: support DTPC IE (from Cisco Client eXtensions) 2014-09-08 10:52:00 +02:00
vht.c mac80211: disable VHT for TDLS 2014-07-21 12:14:04 +02:00
wep.c mac80211: remove weak WEP IV accounting 2014-06-23 11:05:31 +02:00
wep.h mac80211: move RX WEP weak IV counting 2012-03-13 14:54:16 -04:00
wme.c mac80211: add Intel Mobile Communications copyright 2014-09-05 13:52:06 +02:00
wme.h mac80211: save wmm_acm per sdata 2012-06-20 17:35:22 +02:00
wpa.c mac80211: annotate MMIC head/tailroom warning 2014-09-08 11:22:42 +02:00
wpa.h mac80211: add generic cipher scheme support 2013-11-25 20:50:52 +01:00