1 files changed, 34 insertions, 0 deletions

diff --git a/package/kernel/mac80211/patches/310-mac80211-fix-invalid-read-in-minstrel_sort_best_tp_r.patch b/package/kernel/mac80211/patches/310-mac80211-fix-invalid-read-in-minstrel_sort_best_tp_r.patch
new file mode 100644
index 0000000000..51a315c204
--- /dev/null
+++ b/package/kernel/mac80211/patches/310-mac80211-fix-invalid-read-in-minstrel_sort_best_tp_r.patch
@@ -0,0 +1,34 @@
+From: Adrien Schildknecht <adrien+dev@schischi.me>
+Date: Tue, 28 Jul 2015 10:30:16 +0200
+Subject: [PATCH] mac80211: fix invalid read in minstrel_sort_best_tp_rates()
+
+At the last iteration of the loop, j may equal zero and thus
+tp_list[j - 1] causes an invalid read.
+Changed the logic of the loop so that j - 1 is always >= 0.
+
+Signed-off-by: Adrien Schildknecht <adrien+dev@schischi.me>
+---
+
+--- a/net/mac80211/rc80211_minstrel.c
++++ b/net/mac80211/rc80211_minstrel.c
+@@ -92,14 +92,15 @@ int minstrel_get_tp_avg(struct minstrel_
+ static inline void
+ minstrel_sort_best_tp_rates(struct minstrel_sta_info *mi, int i, u8 *tp_list)
+ {
+-	int j = MAX_THR_RATES;
+-	struct minstrel_rate_stats *tmp_mrs = &mi->r[j - 1].stats;
++	int j;
++	struct minstrel_rate_stats *tmp_mrs;
+ 	struct minstrel_rate_stats *cur_mrs = &mi->r[i].stats;
+ 
+-	while (j > 0 && (minstrel_get_tp_avg(&mi->r[i], cur_mrs->prob_ewma) >
+-	       minstrel_get_tp_avg(&mi->r[tp_list[j - 1]], tmp_mrs->prob_ewma))) {
+-		j--;
++	for (j = MAX_THR_RATES; j > 0; --j) {
+ 		tmp_mrs = &mi->r[tp_list[j - 1]].stats;
++		if (minstrel_get_tp_avg(&mi->r[i], cur_mrs->prob_ewma) <=
++		    minstrel_get_tp_avg(&mi->r[tp_list[j - 1]], tmp_mrs->prob_ewma))
++			break;
+ 	}
+ 
+ 	if (j < MAX_THR_RATES - 1)