diff -ur iwlwifi-1.1.0/origin/iwl-base.c iwlwifi-1.1.0_1/origin/iwl-base.c
--- origin/iwl-base.c	2007-09-19 11:11:16.000000000 +0200
+++ origin/iwl-base.c	2007-10-12 13:46:23.000000000 +0200
@@ -1877,6 +1877,7 @@
 	int len = 0;
 	u8 *pos = NULL;
 	u16 ret_rates;
+	int rate_count = 0;
 
 	/* Make sure there is enough space for the probe request,
 	 * two mandatory IEs and the data */
@@ -1924,11 +1925,16 @@
 	/* ... fill it in... */
 	*pos++ = WLAN_EID_SUPP_RATES;
 	*pos = 0;
+
+	rate_count = 8;
+	if (left < 8)
+		rate_count = left;
+
 	ret_rates = priv->active_rate = priv->rates_mask;
 	priv->active_rate_basic = priv->rates_mask & IWL_BASIC_RATES_MASK;
 
 	iwl_supported_rate_to_ie(pos, priv->active_rate,
-				 priv->active_rate_basic, left);
+				 priv->active_rate_basic, rate_count);
 	len += 2 + *pos;
 	pos += (*pos) + 1;
 	ret_rates = ~ret_rates & priv->active_rate;
Nur in iwlwifi-1.1.0_1/origin: iwl-base.c.orig.