git.baikalelectronics.ru Git - kernel.git/commit

author	Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
	Tue, 11 May 2021 18:02:42 +0000 (20:02 +0200)
committer	Johannes Berg <johannes.berg@intel.com>
	Tue, 11 May 2021 18:12:36 +0000 (20:12 +0200)
commit	1fab0cc3ef2c99159e055c5fbed71b1249b3693f
tree	756d40dcc45b31850fb1f87afefb264eec678a2d	tree \| snapshot
parent	9e8017be1d4ac5d5bde636c3cdf51ac983393481	commit \| diff

mac80211: assure all fragments are encrypted

Do not mix plaintext and encrypted fragments in protected Wi-Fi
networks. This fixes CVE-2020-26147.

Previously, an attacker was able to first forward a legitimate encrypted
fragment towards a victim, followed by a plaintext fragment. The
encrypted and plaintext fragment would then be reassembled. For further
details see Section 6.3 and Appendix D in the paper "Fragment and Forge:
Breaking Wi-Fi Through Frame Aggregation and Fragmentation".

Because of this change there are now two equivalent conditions in the
code to determine if a received fragment requires sequential PNs, so we
also move this test to a separate function to make the code easier to
maintain.

Cc: stable@vger.kernel.org
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Link: https://lore.kernel.org/r/20210511200110.30c4394bb835.I5acfdb552cc1d20c339c262315950b3eac491397@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>