linux/net/mac80211
Felix Fietkau 280ba51d60 mac80211: minstrel_ht: fix a crash in rate sorting
The commit 5935839ad7
"mac80211: improve minstrel_ht rate sorting by throughput & probability"

introduced a crash on rate sorting that occurs when the rate added to
the sorting array is faster than all the previous rates. Due to an
off-by-one error, it reads the rate index from tp_list[-1], which
contains uninitialized stack garbage, and then uses the resulting index
for accessing the group rate stats, leading to a crash if the garbage
value is big enough.

Cc: Thomas Huehn <thomas@net.t-labs.tu-berlin.de>
Reported-by: Jouni Malinen <j@w1.fi>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2014-11-18 22:39:16 +01:00
..
aes_ccm.c mac80211: Fix regression that triggers a kernel BUG with CCMP 2014-11-06 12:42:22 +01:00
aes_ccm.h
aes_cmac.c
aes_cmac.h
agg-rx.c mac80211: fix offloaded BA session traffic after hw restart 2014-09-03 13:40:38 +02:00
agg-tx.c mac80211: introduce refcount for queue_stop_reasons 2014-06-23 14:22:25 +02:00
cfg.c mac80211: return the vif's chandef in ieee80211_cfg_get_channel() 2014-10-09 11:01:58 +02:00
cfg.h
chan.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless 2014-09-08 11:14:56 -04:00
debug.h
debugfs_key.c
debugfs_key.h
debugfs_netdev.c mac80211: replace SMPS hw flags with wiphy feature bits 2014-09-11 13:37:02 +02:00
debugfs_netdev.h
debugfs_sta.c This time, I have some rate minstrel improvements, support for a very 2014-09-15 14:51:23 -04:00
debugfs_sta.h
debugfs.c mac80211: replace SMPS hw flags with wiphy feature bits 2014-09-11 13:37:02 +02:00
debugfs.h
driver-ops.h mac80211: extend set_coverage_class signature 2014-09-05 13:54:07 +02:00
ethtool.c cfg80211: make ethtool the driver's responsibility 2014-06-23 11:05:33 +02:00
event.c
ht.c mac80211: set Rx highest rate in ht_cap 2014-07-21 12:14:04 +02:00
ibss.c mac80211: use secondary channel offset IE also beacons during CSA 2014-10-29 16:37:45 +01:00
ieee80211_i.h mac80211: use secondary channel offset IE also beacons during CSA 2014-10-29 16:37:45 +01:00
iface.c mac80211: properly flush delayed scan work on interface removal 2014-10-30 15:48:32 +01:00
Kconfig
key.c mac80211: clear key material when freeing keys 2014-09-11 12:07:23 +02:00
key.h
led.c
led.h
main.c mac80211: add Intel Mobile Communications copyright 2014-09-05 13:52:06 +02:00
Makefile cfg80211: make ethtool the driver's responsibility 2014-06-23 11:05:33 +02:00
mesh_hwmp.c mac80211: remove unnecessary break after return 2014-07-15 16:27:00 -07:00
mesh_pathtbl.c mac80211: Replace rcu_dereference() with rcu_access_pointer() 2014-08-27 12:14:10 +02:00
mesh_plink.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless 2014-09-08 11:14:56 -04:00
mesh_ps.c
mesh_sync.c
mesh.c mac80211: use secondary channel offset IE also beacons during CSA 2014-10-29 16:37:45 +01:00
mesh.h
michael.c
michael.h
mlme.c mac80211: schedule the actual switch of the station before CSA count 0 2014-10-29 16:37:54 +01:00
offchannel.c mac80211: introduce refcount for queue_stop_reasons 2014-06-23 14:22:25 +02:00
pm.c mac80211: introduce refcount for queue_stop_reasons 2014-06-23 14:22:25 +02:00
rate.c mac80211: fix typo in starting baserate for rts_cts_rate_idx 2014-10-14 11:16:16 +02:00
rate.h
rc80211_minstrel_debugfs.c mac80211: minstrels: fix buffer overflow in HT debugfs rc_stats 2014-10-20 16:37:01 +02:00
rc80211_minstrel_ht_debugfs.c mac80211: minstrels: fix buffer overflow in HT debugfs rc_stats 2014-10-20 16:37:01 +02:00
rc80211_minstrel_ht.c mac80211: minstrel_ht: fix a crash in rate sorting 2014-11-18 22:39:16 +01:00
rc80211_minstrel_ht.h mac80211: improve minstrel_ht rate sorting by throughput & probability 2014-09-11 12:10:14 +02:00
rc80211_minstrel.c mac80211: Unify rate statistic variables between Minstrel & Minstrel_HT 2014-09-11 12:08:31 +02:00
rc80211_minstrel.h mac80211: Unify rate statistic variables between Minstrel & Minstrel_HT 2014-09-11 12:08:31 +02:00
rx.c mac80211: fix use-after-free in defragmentation 2014-11-03 14:28:50 +01:00
scan.c mac80211: add Intel Mobile Communications copyright 2014-09-05 13:52:06 +02:00
spectmgmt.c mac80211: use secondary channel offset IE also beacons during CSA 2014-10-29 16:37:45 +01:00
sta_info.c Merge tag 'master-2014-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next 2014-09-26 15:39:24 -04:00
sta_info.h mac80211: fix warning on htmldocs for last_tdls_pkt_time 2014-10-09 10:33:29 +02:00
status.c mac80211: add TDLS connection timeout 2014-09-11 12:18:47 +02:00
tdls.c mac80211: set network header in TDLS frames 2014-09-11 12:25:22 +02:00
tkip.c
tkip.h
trace.c
trace.h mac80211: extend set_coverage_class signature 2014-09-05 13:54:07 +02:00
tx.c Merge tag 'master-2014-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next 2014-09-26 15:39:24 -04:00
util.c mac80211: support DTPC IE (from Cisco Client eXtensions) 2014-09-08 10:52:00 +02:00
vht.c mac80211: disable VHT for TDLS 2014-07-21 12:14:04 +02:00
wep.c
wep.h
wme.c mac80211: add Intel Mobile Communications copyright 2014-09-05 13:52:06 +02:00
wme.h
wpa.c mac80211: annotate MMIC head/tailroom warning 2014-09-08 11:22:42 +02:00
wpa.h