mac80211: fix a crash bug in minstrel_ht
Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 43298
This commit is contained in:
parent
9cd492b3e1
commit
49aca2431c
|
@ -0,0 +1,47 @@
|
|||
From: Felix Fietkau <nbd@openwrt.org>
|
||||
Date: Tue, 18 Nov 2014 21:43:25 +0100
|
||||
Subject: [PATCH] mac80211: minstrel_ht: fix a crash in rate sorting
|
||||
|
||||
The commit 5935839ad73583781b8bbe8d91412f6826e218a4
|
||||
"mac80211: improve minstrel_ht rate sorting by throughput & probability"
|
||||
|
||||
introduced a crash on rate sorting that occurs when the rate added to
|
||||
the sorting array is faster than all the previous rates. Due to an
|
||||
off-by-one error, it reads the rate index from tp_list[-1], which
|
||||
contains uninitialized stack garbage, and then uses the resulting index
|
||||
for accessing the group rate stats, leading to a crash if the garbage
|
||||
value is big enough.
|
||||
|
||||
Cc: Thomas Huehn <thomas@net.t-labs.tu-berlin.de>
|
||||
Reported-by: Jouni Malinen <j@w1.fi>
|
||||
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
||||
---
|
||||
|
||||
--- a/net/mac80211/rc80211_minstrel_ht.c
|
||||
+++ b/net/mac80211/rc80211_minstrel_ht.c
|
||||
@@ -394,19 +394,16 @@ minstrel_ht_sort_best_tp_rates(struct mi
|
||||
cur_thr = mi->groups[cur_group].rates[cur_idx].cur_tp;
|
||||
cur_prob = mi->groups[cur_group].rates[cur_idx].probability;
|
||||
|
||||
- tmp_group = tp_list[j - 1] / MCS_GROUP_RATES;
|
||||
- tmp_idx = tp_list[j - 1] % MCS_GROUP_RATES;
|
||||
- tmp_thr = mi->groups[tmp_group].rates[tmp_idx].cur_tp;
|
||||
- tmp_prob = mi->groups[tmp_group].rates[tmp_idx].probability;
|
||||
-
|
||||
- while (j > 0 && (cur_thr > tmp_thr ||
|
||||
- (cur_thr == tmp_thr && cur_prob > tmp_prob))) {
|
||||
- j--;
|
||||
+ do {
|
||||
tmp_group = tp_list[j - 1] / MCS_GROUP_RATES;
|
||||
tmp_idx = tp_list[j - 1] % MCS_GROUP_RATES;
|
||||
tmp_thr = mi->groups[tmp_group].rates[tmp_idx].cur_tp;
|
||||
tmp_prob = mi->groups[tmp_group].rates[tmp_idx].probability;
|
||||
- }
|
||||
+ if (cur_thr < tmp_thr ||
|
||||
+ (cur_thr == tmp_thr && cur_prob <= tmp_prob))
|
||||
+ break;
|
||||
+ j--;
|
||||
+ } while (j > 0);
|
||||
|
||||
if (j < MAX_THR_RATES - 1) {
|
||||
memmove(&tp_list[j + 1], &tp_list[j], (sizeof(*tp_list) *
|
Loading…
Reference in New Issue