diff options
| author | Michael Buesch <mb@bu3sch.de> | 2008-01-23 21:44:15 +0100 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-31 19:26:45 -0800 |
| commit | 09552ccd8277e6382097e93a40f7311a09449367 (patch) | |
| tree | c6e9b3f46ab04a0f1a461699d01cd6dbaa71e9bb /drivers/net/wireless/b43/xmit.c | |
| parent | 7be1bb6b798d506693d2d8668e801951996b5a4a (diff) | |
b43: Drop packets that we are not able to encrypt
We must not transmit packets we're not able to encrypt.
This fixes a bug where in a tiny timeframe after machine resume
packets can get sent unencrypted and might leak information.
This also fixes three small resource leakages I spotted while fixing
the security problem. Properly deallocate the DMA slots in any DMA
allocation error path.
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/wireless/b43/xmit.c')
| -rw-r--r-- | drivers/net/wireless/b43/xmit.c | 48 |
1 files changed, 27 insertions, 21 deletions
diff --git a/drivers/net/wireless/b43/xmit.c b/drivers/net/wireless/b43/xmit.c index 7de2814d527e..7caa26eb4105 100644 --- a/drivers/net/wireless/b43/xmit.c +++ b/drivers/net/wireless/b43/xmit.c @@ -178,12 +178,12 @@ static u8 b43_calc_fallback_rate(u8 bitrate) } /* Generate a TX data header. */ -void b43_generate_txhdr(struct b43_wldev *dev, - u8 *_txhdr, - const unsigned char *fragment_data, - unsigned int fragment_len, - const struct ieee80211_tx_control *txctl, - u16 cookie) +int b43_generate_txhdr(struct b43_wldev *dev, + u8 *_txhdr, + const unsigned char *fragment_data, + unsigned int fragment_len, + const struct ieee80211_tx_control *txctl, + u16 cookie) { struct b43_txhdr *txhdr = (struct b43_txhdr *)_txhdr; const struct b43_phy *phy = &dev->phy; @@ -238,22 +238,27 @@ void b43_generate_txhdr(struct b43_wldev *dev, B43_WARN_ON(key_idx >= dev->max_nr_keys); key = &(dev->key[key_idx]); - if (likely(key->keyconf)) { - /* This key is valid. Use it for encryption. */ - - /* Hardware appends ICV. */ - plcp_fragment_len += txctl->icv_len; - - key_idx = b43_kidx_to_fw(dev, key_idx); - mac_ctl |= (key_idx << B43_TXH_MAC_KEYIDX_SHIFT) & - B43_TXH_MAC_KEYIDX; - mac_ctl |= (key->algorithm << B43_TXH_MAC_KEYALG_SHIFT) & - B43_TXH_MAC_KEYALG; - wlhdr_len = ieee80211_get_hdrlen(fctl); - iv_len = min((size_t) txctl->iv_len, - ARRAY_SIZE(txhdr->iv)); - memcpy(txhdr->iv, ((u8 *) wlhdr) + wlhdr_len, iv_len); + if (unlikely(!key->keyconf)) { + /* This key is invalid. This might only happen + * in a short timeframe after machine resume before + * we were able to reconfigure keys. + * Drop this packet completely. Do not transmit it + * unencrypted to avoid leaking information. */ + return -ENOKEY; } + + /* Hardware appends ICV. */ + plcp_fragment_len += txctl->icv_len; + + key_idx = b43_kidx_to_fw(dev, key_idx); + mac_ctl |= (key_idx << B43_TXH_MAC_KEYIDX_SHIFT) & + B43_TXH_MAC_KEYIDX; + mac_ctl |= (key->algorithm << B43_TXH_MAC_KEYALG_SHIFT) & + B43_TXH_MAC_KEYALG; + wlhdr_len = ieee80211_get_hdrlen(fctl); + iv_len = min((size_t) txctl->iv_len, + ARRAY_SIZE(txhdr->iv)); + memcpy(txhdr->iv, ((u8 *) wlhdr) + wlhdr_len, iv_len); } if (b43_is_old_txhdr_format(dev)) { b43_generate_plcp_hdr((struct b43_plcp_hdr4 *)(&txhdr->old_format.plcp), @@ -411,6 +416,7 @@ void b43_generate_txhdr(struct b43_wldev *dev, txhdr->phy_ctl = cpu_to_le16(phy_ctl); txhdr->extra_ft = extra_ft; + return 0; } static s8 b43_rssi_postprocess(struct b43_wldev *dev, |