mac80211: fix invalid read in minstrel_sort_best_tp_rates()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

At the last iteration of the loop, j may equal zero and thus
tp_list[j - 1] causes an invalid read.
Change the logic of the loop so that j - 1 is always >= 0.

Cc: stable@vger.kernel.org
Signed-off-by: Adrien Schildknecht <adrien+dev@schischi.me>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

authored by

Adrien Schildknecht and committed by

Johannes Berg 10 years ago f5eeb5fa 923b352f

+6 -5

1 changed file

expand all

net

mac80211

rc80211_minstrel.c

+6 -5

net/mac80211/rc80211_minstrel.c

··· 92 92 static inline void 93 93 minstrel_sort_best_tp_rates(struct minstrel_sta_info *mi, int i, u8 *tp_list) 94 94 { 95 - int j = MAX_THR_RATES; 96 - struct minstrel_rate_stats *tmp_mrs = &mi->r[j - 1].stats; 95 + int j; 96 + struct minstrel_rate_stats *tmp_mrs; 97 97 struct minstrel_rate_stats *cur_mrs = &mi->r[i].stats; 98 98 99 - while (j > 0 && (minstrel_get_tp_avg(&mi->r[i], cur_mrs->prob_ewma) > 100 - minstrel_get_tp_avg(&mi->r[tp_list[j - 1]], tmp_mrs->prob_ewma))) { 101 - j--; 99 + for (j = MAX_THR_RATES; j > 0; --j) { 102 100 tmp_mrs = &mi->r[tp_list[j - 1]].stats; 101 + if (minstrel_get_tp_avg(&mi->r[i], cur_mrs->prob_ewma) <= 102 + minstrel_get_tp_avg(&mi->r[tp_list[j - 1]], tmp_mrs->prob_ewma)) 103 + break; 103 104 } 104 105 105 106 if (j < MAX_THR_RATES - 1)