From patchwork Mon May 28 11:29:20 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Loic Poulain <loic.poulain@linaro.org>
X-Patchwork-Id: 10431891
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	5D4D8603B5 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 28 May 2018 11:29:34 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4F73E28C88
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 28 May 2018 11:29:34 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 441C028C92; Mon, 28 May 2018 11:29:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CBA2A28C90
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 28 May 2018 11:29:33 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S938303AbeE1L3c (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Mon, 28 May 2018 07:29:32 -0400
Received: from mail-wr0-f195.google.com ([209.85.128.195]:36268 "EHLO
	mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S938299AbeE1L3a (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Mon, 28 May 2018 07:29:30 -0400
Received: by mail-wr0-f195.google.com with SMTP id f16-v6so4409603wrm.3
	for <linux-wireless@vger.kernel.org>;
	Mon, 28 May 2018 04:29:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=5iodCd8fhjhIO+8Pv39Ot4A0OLaOvGZajjBz7TleDR8=;
	b=ZofAPc7lqYkxVIc/Sv/K8jfUdA6Ll3Mepz0Y05aagi4JcwvUVsGlgZg+zViPOmVtnn
	GmeSUL2+r/uz0Y/iAinIAIDwiVZo2OTtVplQUmMW4fBj1DGB4FMGE75KO/k/cbn8FAJs
	qzKf3nIr5cUmjM698Q4DDPMpA2xirZ7W/7/TU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=5iodCd8fhjhIO+8Pv39Ot4A0OLaOvGZajjBz7TleDR8=;
	b=lrxD6K+GLlh4xMqab2jOI2mVjb69489iBPFYFiThEHwzy7Zw1kPco8m1IcfwquV3vC
	Zj4zNbgNQHoEtvmsjHmRd92CJqxNqws7BgVPr5dn//RkLktCQPY/CLK3blsfFh67fVJY
	T3KuSPwKim4qV1swkgLOclBlDG9dTYsmLxiMA9+OoPpTge/c1zETD3y3wQ7W0XoCmo0F
	G3Yd0C6ZZGZ28092yYC/R3QX/M8P9iKOT8c+eC4UTFm/PF1I5IN1NnLzo59QQZwwWAe+
	5o8cwRBcFcMERbl549wma2Lje01F/8R+m++QQzrHMwxctAmclaDbkwl6nfrDTyf7cqwn
	xv5Q==
X-Gm-Message-State: ALKqPwdnYsiytWQ58lQiyXxBMevbyyHyb2UT78rxAm+ag0291VMrK48m
	dT5aKkr5/8lnwL/17cAe6n9rDA==
X-Google-Smtp-Source: 
 ADUXVKK/yZ0KplqSTqQexEF+bCgfNjpx+DLWVXUAc7s2zKCEjRIQuaCButu+Ai+3QJgVTxUOXCem9g==
X-Received: by 2002:adf:de08:: with SMTP id
	b8-v6mr3253424wrm.39.1527506968794;
	Mon, 28 May 2018 04:29:28 -0700 (PDT)
Received: from lpoulain-ThinkPad-T470p.home
	(LFbn-1-10589-161.w90-89.abo.wanadoo.fr. [90.89.181.161])
	by smtp.gmail.com with ESMTPSA id
	c18-v6sm16020324wrq.17.2018.05.28.04.29.27
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 28 May 2018 04:29:28 -0700 (PDT)
From: Loic Poulain <loic.poulain@linaro.org>
To: kvalo@codeaurora.org
Cc: linux-wireless@vger.kernel.org, linux-arm-msm@vger.kernel.org,
	Loic Poulain <loic.poulain@linaro.org>
Subject: [PATCH 3/3] wcn36xx: Fix WEP encryption
Date: Mon, 28 May 2018 13:29:20 +0200
Message-Id: <1527506960-13358-3-git-send-email-loic.poulain@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1527506960-13358-1-git-send-email-loic.poulain@linaro.org>
References: <1527506960-13358-1-git-send-email-loic.poulain@linaro.org>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

In case of WEP encryption, driver has to configure shared key for
associated station(s). Note that sta pointer is NULL in case of non
pairwise key, causing NULL pointer dereference with existing code
(sta_priv->is_data_encrypted). Fix this by using associated sta list
instead.

Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
---
 drivers/net/wireless/ath/wcn36xx/main.c | 19 +++++++++++--------
 drivers/net/wireless/ath/wcn36xx/smd.c  | 20 ++++++++++++++------
 2 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c
index 6fd0bf6..e38443e 100644
--- a/drivers/net/wireless/ath/wcn36xx/main.c
+++ b/drivers/net/wireless/ath/wcn36xx/main.c
@@ -493,7 +493,7 @@ static int wcn36xx_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
 {
 	struct wcn36xx *wcn = hw->priv;
 	struct wcn36xx_vif *vif_priv = wcn36xx_vif_to_priv(vif);
-	struct wcn36xx_sta *sta_priv = wcn36xx_sta_to_priv(sta);
+	struct wcn36xx_sta *sta_priv = sta ? wcn36xx_sta_to_priv(sta) : NULL;
 	int ret = 0;
 	u8 key[WLAN_MAX_KEY_LEN];
 
@@ -570,13 +570,16 @@ static int wcn36xx_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
 
 			if ((WLAN_CIPHER_SUITE_WEP40 == key_conf->cipher) ||
 			    (WLAN_CIPHER_SUITE_WEP104 == key_conf->cipher)) {
-				sta_priv->is_data_encrypted = true;
-				wcn36xx_smd_set_stakey(wcn,
-					vif_priv->encrypt_type,
-					key_conf->keyidx,
-					key_conf->keylen,
-					key,
-					get_sta_index(vif, sta_priv));
+				list_for_each_entry(sta_priv,
+						    &vif_priv->sta_list, list) {
+					sta_priv->is_data_encrypted = true;
+					wcn36xx_smd_set_stakey(wcn,
+						vif_priv->encrypt_type,
+						key_conf->keyidx,
+						key_conf->keylen,
+						key,
+						get_sta_index(vif, sta_priv));
+				}
 			}
 		}
 		break;
diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
index b4dadf7..304a86c 100644
--- a/drivers/net/wireless/ath/wcn36xx/smd.c
+++ b/drivers/net/wireless/ath/wcn36xx/smd.c
@@ -1708,12 +1708,20 @@ int wcn36xx_smd_set_stakey(struct wcn36xx *wcn,
 	msg_body.set_sta_key_params.sta_index = sta_index;
 	msg_body.set_sta_key_params.enc_type = enc_type;
 
-	msg_body.set_sta_key_params.key[0].id = keyidx;
-	msg_body.set_sta_key_params.key[0].unicast = 1;
-	msg_body.set_sta_key_params.key[0].direction = WCN36XX_HAL_TX_RX;
-	msg_body.set_sta_key_params.key[0].pae_role = 0;
-	msg_body.set_sta_key_params.key[0].length = keylen;
-	memcpy(msg_body.set_sta_key_params.key[0].key, key, keylen);
+	if (enc_type == WCN36XX_HAL_ED_WEP104 ||
+	    enc_type == WCN36XX_HAL_ED_WEP40) {
+		/* Use bss key for wep (static) */
+		msg_body.set_sta_key_params.def_wep_idx = keyidx;
+		msg_body.set_sta_key_params.wep_type = 0;
+	} else {
+		msg_body.set_sta_key_params.key[0].id = keyidx;
+		msg_body.set_sta_key_params.key[0].unicast = 1;
+		msg_body.set_sta_key_params.key[0].direction = WCN36XX_HAL_TX_RX;
+		msg_body.set_sta_key_params.key[0].pae_role = 0;
+		msg_body.set_sta_key_params.key[0].length = keylen;
+		memcpy(msg_body.set_sta_key_params.key[0].key, key, keylen);
+	}
+
 	msg_body.set_sta_key_params.single_tid_rc = 1;
 
 	PREPARE_HAL_BUF(wcn->hal_buf, msg_body);