diff options
author | Eric Dumazet <edumazet@google.com> | 2013-07-03 14:04:14 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-07-03 16:52:10 -0700 |
commit | 36b7bfe09b6deb71bf387852465245783c9a6208 (patch) | |
tree | 19b913e5a43e3010c8c8790c7aa87d0d5167dea1 | |
parent | 9eb5bf838d06aa6ddebe4aca6b5cedcf2eb53b86 (diff) | |
download | linux-36b7bfe09b6deb71bf387852465245783c9a6208.tar.gz linux-36b7bfe09b6deb71bf387852465245783c9a6208.tar.bz2 linux-36b7bfe09b6deb71bf387852465245783c9a6208.zip |
netem: fix possible NULL deref in netem_dequeue()
commit aec0a40a6f7884 ("netem: use rb tree to implement the time queue")
added a regression if a child qdisc is attached to netem, as we perform
a NULL dereference.
Fix this by adding a temporary variable to cache
netem_skb_cb(skb)->time_to_send.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/sched/sch_netem.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c index ed0082cf8eff..82f6016d89ab 100644 --- a/net/sched/sch_netem.c +++ b/net/sched/sch_netem.c @@ -554,10 +554,13 @@ deliver: } p = rb_first(&q->t_root); if (p) { + psched_time_t time_to_send; + skb = netem_rb_to_skb(p); /* if more time remaining? */ - if (netem_skb_cb(skb)->time_to_send <= psched_get_time()) { + time_to_send = netem_skb_cb(skb)->time_to_send; + if (time_to_send <= psched_get_time()) { rb_erase(p, &q->t_root); sch->q.qlen--; @@ -593,8 +596,7 @@ deliver: if (skb) goto deliver; } - qdisc_watchdog_schedule(&q->watchdog, - netem_skb_cb(skb)->time_to_send); + qdisc_watchdog_schedule(&q->watchdog, time_to_send); } if (q->qdisc) { |