mirror of
https://github.com/hanwckf/immortalwrt-mt798x.git
synced 2025-01-09 18:59:13 +08:00
509363ba58
Fixes CVE-2022-47522 Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit d54c91bd9ab3c54ee06923eafbd67047816a37e4) (cherry picked from commit 4ae854d05568bc36a4df2cb6dd8fb023b5ef9944)
37 lines
1.2 KiB
Diff
37 lines
1.2 KiB
Diff
From: Johannes Berg <johannes.berg@intel.com>
|
|
Date: Mon, 13 Mar 2023 11:42:12 +0100
|
|
Subject: [PATCH] wifi: mac80211: flush queues on STA removal
|
|
|
|
When we remove a station, we first make it unreachable,
|
|
then we (must) remove its keys, and then remove the
|
|
station itself. Depending on the hardware design, if
|
|
we have hardware crypto at all, frames still sitting
|
|
on hardware queues may then be transmitted without a
|
|
valid key, possibly unencrypted or with a fixed key.
|
|
|
|
Fix this by flushing the queues when removing stations
|
|
so this cannot happen.
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
|
Reviewed-by: Greenman, Gregory <gregory.greenman@intel.com>
|
|
---
|
|
|
|
--- a/net/mac80211/sta_info.c
|
|
+++ b/net/mac80211/sta_info.c
|
|
@@ -1070,6 +1070,14 @@ static void __sta_info_destroy_part2(str
|
|
WARN_ON_ONCE(ret);
|
|
}
|
|
|
|
+ /* Flush queues before removing keys, as that might remove them
|
|
+ * from hardware, and then depending on the offload method, any
|
|
+ * frames sitting on hardware queues might be sent out without
|
|
+ * any encryption at all.
|
|
+ */
|
|
+ if (local->ops->set_key)
|
|
+ ieee80211_flush_queues(local, sta->sdata, false);
|
|
+
|
|
/* now keys can no longer be reached */
|
|
ieee80211_free_sta_keys(local, sta);
|
|
|