> > struct cfg80211_cached_keys {
> > - struct key_params params[6];
> > - u8 data[6][WLAN_MAX_KEY_LEN];
> > - int def, defmgmt;
> > + struct key_params params[4];
> > + u8 data[4][WLAN_KEY_LEN_WEP104];
> > + int def;
> > };
>
> As noted in our irc discussion, this is not really a good thing to
> do.
> WEXT compat code uses this structure for all ciphers, not just static
> WEP keys. BIP configuration can use key index 4-5 and the key lengths
> can go up to 32 bytes instead of WLAN_KEY_LEN_WEP104. In other words,
> this patch should be dropped or reverted since it causes kernel
> panics due to memory corruption when writing beyond this reduced size
> structure.
Yeah, this was obviously a mistake - and smatch even pointed it out to
me, but I *still* couldn't find it.
I've just sent a fix to *really* only store the WEP keys, which fixes
the issue (after I could reproduce it) for me.
johannes
