git: a3bd81ddfe29 - releng/14.3 - net80211: fix TKIP trailer trimming w/ no rx parameters given
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 08 Aug 2025 00:39:03 UTC
The branch releng/14.3 has been updated by gordon:
URL: https://cgit.FreeBSD.org/src/commit/?id=a3bd81ddfe2912afb824e322fddc576cde72e376
commit a3bd81ddfe2912afb824e322fddc576cde72e376
Author: Adrian Chadd <adrian@FreeBSD.org>
AuthorDate: 2025-06-02 00:11:40 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2025-08-07 23:21:08 +0000
net80211: fix TKIP trailer trimming w/ no rx parameters given
Previous work made trimming the TKIP trailer an optional thing
based on what the driver indicated it did with the received
frame. However, for drivers that aren't populating an RX frame
with an rx status - notably iwn(4) - exposed this bug.
If the driver doesn't expose any RX status then just restore
the previous behaviour.
This matches what was done in the CCMP code in ccmp_decap().
Locally tested:
* iwn(4), STA mode, CCMP + TKIP groupwise network
Differential Revision: https://reviews.freebsd.org/D50638
Fixes: 731ff40069d28
Reviewed by: bz
Approved by: so
Security: FreeBSD-EN-25:13.wlan_tkip
(cherry picked from commit 36fcd52c2bd5a8a4b3d584564852f417fb83e762)
(cherry picked from commit 950343a170f06a0651b725058e0669b8d03b9d24)
---
sys/net80211/ieee80211_crypto_tkip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/net80211/ieee80211_crypto_tkip.c b/sys/net80211/ieee80211_crypto_tkip.c
index ca474b504fff..0506e2df6545 100644
--- a/sys/net80211/ieee80211_crypto_tkip.c
+++ b/sys/net80211/ieee80211_crypto_tkip.c
@@ -370,7 +370,7 @@ finish:
/*
* Strip the ICV if hardware has not done so already.
*/
- if (rxs != NULL && (rxs->c_pktflags & IEEE80211_RX_F_ICV_STRIP) == 0)
+ if ((rxs == NULL) || (rxs->c_pktflags & IEEE80211_RX_F_ICV_STRIP) == 0)
m_adj(m, -tkip.ic_trailer);
return 1;