mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-23 07:22:33 +00:00
d54c91bd9a
Fixes CVE-2022-47522 Signed-off-by: Felix Fietkau <nbd@nbd.name>
37 lines
1.2 KiB
Diff
37 lines
1.2 KiB
Diff
From: Johannes Berg <johannes.berg@intel.com>
|
|
Date: Mon, 13 Mar 2023 11:42:12 +0100
|
|
Subject: [PATCH] wifi: mac80211: flush queues on STA removal
|
|
|
|
When we remove a station, we first make it unreachable,
|
|
then we (must) remove its keys, and then remove the
|
|
station itself. Depending on the hardware design, if
|
|
we have hardware crypto at all, frames still sitting
|
|
on hardware queues may then be transmitted without a
|
|
valid key, possibly unencrypted or with a fixed key.
|
|
|
|
Fix this by flushing the queues when removing stations
|
|
so this cannot happen.
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
|
Reviewed-by: Greenman, Gregory <gregory.greenman@intel.com>
|
|
---
|
|
|
|
--- a/net/mac80211/sta_info.c
|
|
+++ b/net/mac80211/sta_info.c
|
|
@@ -1271,6 +1271,14 @@ static void __sta_info_destroy_part2(str
|
|
WARN_ON_ONCE(ret);
|
|
}
|
|
|
|
+ /* Flush queues before removing keys, as that might remove them
|
|
+ * from hardware, and then depending on the offload method, any
|
|
+ * frames sitting on hardware queues might be sent out without
|
|
+ * any encryption at all.
|
|
+ */
|
|
+ if (local->ops->set_key)
|
|
+ ieee80211_flush_queues(local, sta->sdata, false);
|
|
+
|
|
/* now keys can no longer be reached */
|
|
ieee80211_free_sta_keys(local, sta);
|
|
|