On Sat, 2023-02-18 at 11:11 -0800, Kees Cook wrote: > > case WLAN_CIPHER_SUITE_CCMP: > key_flags |= STA_KEY_FLG_CCMP; > - memcpy(sta_cmd.key.key, keyconf->key, keyconf->keylen); > + memcpy(&sta_cmd.key.keys, keyconf->key, keyconf->keylen); This should be fine though, only up to 16 bytes for CCMP. > case WLAN_CIPHER_SUITE_TKIP: > key_flags |= STA_KEY_FLG_TKIP; > sta_cmd.key.tkip_rx_tsc_byte2 = tkip_iv32; > for (i = 0; i < 5; i++) > sta_cmd.key.tkip_rx_ttak[i] = cpu_to_le16(tkip_p1k[i]); > - memcpy(sta_cmd.key.key, keyconf->key, keyconf->keylen); > + memcpy(&sta_cmd.key.keys, keyconf->key, keyconf->keylen); And that's actually a bug, we should've copied only 16 bytes, I guess. DVM didn't support MIC offload anyway (at least the way Linux uses the firmware, though I thought it doesn't at all), so we don't need the MIC RX/TX keys in there, but anyway the sequence counter values are not part of the key material on the host. I don't think I have a machine now to test this with (nor a TKIP AP, of course, but that could be changed) - but I suspect that since we actually calculate the TTAK above, we might not even need this memcpy() at all? johannes
