The branch main has been updated by adrian:
URL:
https://cgit.FreeBSD.org/src/commit/?id=36fcd52c2bd5a8a4b3d584564852f417fb83e762
commit 36fcd52c2bd5a8a4b3d584564852f417fb83e762
Author: Adrian Chadd <adr...@freebsd.org>
AuthorDate: 2025-06-02 00:11:40 +0000
Commit: Adrian Chadd <adr...@freebsd.org>
CommitDate: 2025-06-03 00:11:59 +0000
net80211: fix TKIP trailer trimming w/ no rx parameters given
Previous work made trimming the TKIP trailer an optional thing
based on what the driver indicated it did with the received
frame. However, for drivers that aren't populating an RX frame
with an rx status - notably iwn(4) - exposed this bug.
If the driver doesn't expose any RX status then just restore
the previous behaviour.
This matches what was done in the CCMP code in ccmp_decap().
Locally tested:
* iwn(4), STA mode, CCMP + TKIP groupwise network
Differential Revision: https://reviews.freebsd.org/D50638
Fixes: 731ff40069d28
MFC after: 3 days
Reviewed by: bz
---
sys/net80211/ieee80211_crypto_tkip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/net80211/ieee80211_crypto_tkip.c
b/sys/net80211/ieee80211_crypto_tkip.c
index 7169f3e87a68..1d368cf11eb9 100644
--- a/sys/net80211/ieee80211_crypto_tkip.c
+++ b/sys/net80211/ieee80211_crypto_tkip.c
@@ -370,7 +370,7 @@ finish:
/*
* Strip the ICV if hardware has not done so already.
*/
- if (rxs != NULL && (rxs->c_pktflags & IEEE80211_RX_F_ICV_STRIP) == 0)
+ if ((rxs == NULL) || (rxs->c_pktflags & IEEE80211_RX_F_ICV_STRIP) == 0)
m_adj(m, -tkip.ic_trailer);
return 1;
