diff options
| author | Stephen Chu <stephen.chu@synaptics.corp-partner.google.com> | 2022-07-07 10:36:20 +0800 |
|---|---|---|
| committer | Necip Fazil Yildiran <necip@google.com> | 2022-12-15 22:37:14 +0000 |
| commit | 4faff02726c8de81a13f9298cc557af317bf831f (patch) | |
| tree | 965765a98cd7bf6c06b1d49864f150589d00f040 | |
| parent | 9ee5fbb1bf5433d5b9a7131f64da7ad0772827d5 (diff) | |
| download | drivers-4faff02726c8de81a13f9298cc557af317bf831f.tar.gz | |
DHD: DUT disconnected by replaying broadcast deauth
When an attacker records the broadcast deauth packet and
resent. DUT would disconnect.
Supplicant replies IGTK and IPN to DHD. DHD calls iovar
wsec_key to FW but miss IPN to cause this.
Bug: 235324895
Test: Verified positive result by T6
Signed-off-by: Stephen Chu <stephen.chu@synaptics.corp-partner.google.com>
Change-Id: I6d08a96233db5d44c1ce2919fb1c5f788d0c1767
(cherry picked from commit f84f3d9580d2b16a43c0fb7618c6ff8602818672)
Signed-off-by: Necip Fazil Yildiran <necip@google.com>
| -rw-r--r-- | net/wireless/bcmdhd/wl_cfg80211.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/net/wireless/bcmdhd/wl_cfg80211.c b/net/wireless/bcmdhd/wl_cfg80211.c index 56f019d..108357a 100644 --- a/net/wireless/bcmdhd/wl_cfg80211.c +++ b/net/wireless/bcmdhd/wl_cfg80211.c @@ -7606,6 +7606,16 @@ wl_cfg80211_add_key(struct wiphy *wiphy, struct net_device *dev, WL_DBG(("Buffering WEP Keys \n")); memcpy(&cfg->wep_key, &key, sizeof(struct wl_wsec_key)); } + + if (params->seq && params->seq_len == 6) { + /* rx iv */ + const u8 *ivptr; + ivptr = (const u8 *) params->seq; + key.rxiv.hi = (ivptr[5] << 24) | (ivptr[4] << 16) | + (ivptr[3] << 8) | ivptr[2]; + key.rxiv.lo = (ivptr[1] << 8) | ivptr[0]; + key.iv_initialized = true; + } err = wldev_iovar_setbuf_bsscfg(dev, "wsec_key", &key, sizeof(key), cfg->ioctl_buf, WLC_IOCTL_MAXLEN, bssidx, &cfg->ioctl_buf_sync); if (unlikely(err)) { |