+++ /dev/null
---- a/net/mac80211/key.h
-+++ b/net/mac80211/key.h
-@@ -90,6 +90,7 @@ struct ieee80211_key {
- * Management frames.
- */
- u8 rx_pn[NUM_RX_DATA_QUEUES + 1][6];
-+ u8 rx_invalid_pn[NUM_RX_DATA_QUEUES + 1];
- struct crypto_cipher *tfm;
- u32 replays; /* dot11RSNAStatsCCMPReplays */
- #ifndef AES_BLOCK_LEN
---- a/net/mac80211/wpa.c
-+++ b/net/mac80211/wpa.c
-@@ -457,6 +457,13 @@ ieee80211_crypto_ccmp_encrypt(struct iee
- return TX_CONTINUE;
- }
-
-+static inline u64 pn_to_u64(u8 *data)
-+{
-+ u64 pn = get_unaligned_be32(data + 2);
-+ pn |= ((u64) get_unaligned_be16(data)) << 32;
-+ return pn;
-+}
-+
-
- ieee80211_rx_result
- ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
-@@ -469,6 +476,7 @@ ieee80211_crypto_ccmp_decrypt(struct iee
- u8 pn[CCMP_PN_LEN];
- int data_len;
- int queue;
-+ u64 diff;
-
- hdrlen = ieee80211_hdrlen(hdr->frame_control);
-
-@@ -503,6 +511,11 @@ ieee80211_crypto_ccmp_decrypt(struct iee
- return RX_DROP_UNUSABLE;
- }
-
-+ diff = pn_to_u64(pn) - pn_to_u64(key->u.ccmp.rx_pn[queue]);
-+ if (diff > 1000 && key->u.ccmp.rx_invalid_pn[queue]++ < 10)
-+ return RX_DROP_UNUSABLE;
-+
-+ key->u.ccmp.rx_invalid_pn[queue] = 0;
- memcpy(key->u.ccmp.rx_pn[queue], pn, CCMP_PN_LEN);
-
- /* Remove CCMP header and MIC */