From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 20 Feb 2014 21:33:25 +0000 (-0800)
Subject: 3.4-stable patches
X-Git-Tag: v3.4.82~35
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3abb1c145743c6a71bd0390359e17a2c85ee23d8;p=thirdparty%2Fkernel%2Fstable-queue.git

3.4-stable patches

added patches:
	mac80211-fix-fragmentation-code-particularly-for-encryption.patch
---

diff --git a/queue-3.4/mac80211-fix-fragmentation-code-particularly-for-encryption.patch b/queue-3.4/mac80211-fix-fragmentation-code-particularly-for-encryption.patch
new file mode 100644
index 00000000000..04142502b40
--- /dev/null
+++ b/queue-3.4/mac80211-fix-fragmentation-code-particularly-for-encryption.patch
@@ -0,0 +1,53 @@
+From 338f977f4eb441e69bb9a46eaa0ac715c931a67f Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Sat, 1 Feb 2014 00:16:23 +0100
+Subject: mac80211: fix fragmentation code, particularly for encryption
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 338f977f4eb441e69bb9a46eaa0ac715c931a67f upstream.
+
+The "new" fragmentation code (since my rewrite almost 5 years ago)
+erroneously sets skb->len rather than using skb_trim() to adjust
+the length of the first fragment after copying out all the others.
+This leaves the skb tail pointer pointing to after where the data
+originally ended, and thus causes the encryption MIC to be written
+at that point, rather than where it belongs: immediately after the
+data.
+
+The impact of this is that if software encryption is done, then
+ a) encryption doesn't work for the first fragment, the connection
+    becomes unusable as the first fragment will never be properly
+    verified at the receiver, the MIC is practically guaranteed to
+    be wrong
+ b) we leak up to 8 bytes of plaintext (!) of the packet out into
+    the air
+
+This is only mitigated by the fact that many devices are capable
+of doing encryption in hardware, in which case this can't happen
+as the tail pointer is irrelevant in that case. Additionally,
+fragmentation is not used very frequently and would normally have
+to be configured manually.
+
+Fix this by using skb_trim() properly.
+
+Fixes: 2de8e0d999b8 ("mac80211: rewrite fragmentation")
+Reported-by: Jouni Malinen <j@w1.fi>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -907,7 +907,7 @@ static int ieee80211_fragment(struct iee
+ 	}
+ 
+ 	/* adjust first fragment's length */
+-	skb->len = hdrlen + per_fragm;
++	skb_trim(skb, hdrlen + per_fragm);
+ 	return 0;
+ }
+ 
diff --git a/queue-3.4/series b/queue-3.4/series
index f473d4b431b..55657cfed7f 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -1,2 +1,3 @@
 xen-blkfront-handle-backend-closed-without-closing.patch
 fs-file.c-fdtable-avoid-triggering-ooms-from-alloc_fdmem.patch
+mac80211-fix-fragmentation-code-particularly-for-encryption.patch