[PATCH] wifi: mac80211: Fix cryptographic MAC comparison to be constant-time
From: Eric Biggers
Date: Wed Jul 08 2026 - 22:46:10 EST
To prevent timing attacks, the comparison of cryptographic message
authentication codes (MACs) needs to have data-independent timing.
Replace the memcmp() with the correct function, crypto_memneq().
Fixes: 39404feee691 ("mac80211: FILS AEAD protection for station mode association frames")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
---
net/mac80211/fils_aead.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/mac80211/fils_aead.c b/net/mac80211/fils_aead.c
index d2f4a17eab99..00b91e6ed994 100644
--- a/net/mac80211/fils_aead.c
+++ b/net/mac80211/fils_aead.c
@@ -195,7 +195,7 @@ static int aes_siv_decrypt(const u8 *key, size_t key_len,
res = aes_s2v(key /* K1 */, key_len, num_elem, addr, len, check);
if (res)
return res;
- if (memcmp(check, frame_iv, AES_BLOCK_SIZE) != 0)
+ if (crypto_memneq(check, frame_iv, AES_BLOCK_SIZE))
return -EINVAL;
return 0;
}
base-commit: 8cdeaa50eae8dad34885515f62559ee83e7e8dda
--
2.55.0