|
@@ -86,6 +86,11 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
|
|
|
struct sk_buff *skb = rx->skb;
|
|
|
struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
|
|
|
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
|
|
|
+ int queue = rx->queue;
|
|
|
+
|
|
|
+ /* otherwise, TKIP is vulnerable to TID 0 vs. non-QoS replays */
|
|
|
+ if (rx->queue == NUM_RX_DATA_QUEUES - 1)
|
|
|
+ queue = 0;
|
|
|
|
|
|
/*
|
|
|
* it makes no sense to check for MIC errors on anything other
|
|
@@ -148,8 +153,8 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
|
|
|
|
|
|
update_iv:
|
|
|
/* update IV in key information to be able to detect replays */
|
|
|
- rx->key->u.tkip.rx[rx->queue].iv32 = rx->tkip_iv32;
|
|
|
- rx->key->u.tkip.rx[rx->queue].iv16 = rx->tkip_iv16;
|
|
|
+ rx->key->u.tkip.rx[queue].iv32 = rx->tkip_iv32;
|
|
|
+ rx->key->u.tkip.rx[queue].iv16 = rx->tkip_iv16;
|
|
|
|
|
|
return RX_CONTINUE;
|
|
|
|
|
@@ -241,6 +246,11 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
|
|
|
struct ieee80211_key *key = rx->key;
|
|
|
struct sk_buff *skb = rx->skb;
|
|
|
struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
|
|
|
+ int queue = rx->queue;
|
|
|
+
|
|
|
+ /* otherwise, TKIP is vulnerable to TID 0 vs. non-QoS replays */
|
|
|
+ if (rx->queue == NUM_RX_DATA_QUEUES - 1)
|
|
|
+ queue = 0;
|
|
|
|
|
|
hdrlen = ieee80211_hdrlen(hdr->frame_control);
|
|
|
|
|
@@ -261,7 +271,7 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
|
|
|
res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm,
|
|
|
key, skb->data + hdrlen,
|
|
|
skb->len - hdrlen, rx->sta->sta.addr,
|
|
|
- hdr->addr1, hwaccel, rx->queue,
|
|
|
+ hdr->addr1, hwaccel, queue,
|
|
|
&rx->tkip_iv32,
|
|
|
&rx->tkip_iv16);
|
|
|
if (res != TKIP_DECRYPT_OK)
|