netem: fix possible NULL deref in netem_dequeue()
authorEric Dumazet <edumazet@google.com>
Wed, 3 Jul 2013 21:04:14 +0000 (14:04 -0700)
committerDavid S. Miller <davem@davemloft.net>
Wed, 3 Jul 2013 23:52:10 +0000 (16:52 -0700)
commit aec0a40a6f7884 ("netem: use rb tree to implement the time queue")
added a regression if a child qdisc is attached to netem, as we perform
a NULL dereference.

Fix this by adding a temporary variable to cache
netem_skb_cb(skb)->time_to_send.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/sch_netem.c

index ed0082c..82f6016 100644 (file)
@@ -554,10 +554,13 @@ deliver:
        }
        p = rb_first(&q->t_root);
        if (p) {
+               psched_time_t time_to_send;
+
                skb = netem_rb_to_skb(p);
 
                /* if more time remaining? */
-               if (netem_skb_cb(skb)->time_to_send <= psched_get_time()) {
+               time_to_send = netem_skb_cb(skb)->time_to_send;
+               if (time_to_send <= psched_get_time()) {
                        rb_erase(p, &q->t_root);
 
                        sch->q.qlen--;
@@ -593,8 +596,7 @@ deliver:
                        if (skb)
                                goto deliver;
                }
-               qdisc_watchdog_schedule(&q->watchdog,
-                                       netem_skb_cb(skb)->time_to_send);
+               qdisc_watchdog_schedule(&q->watchdog, time_to_send);
        }
 
        if (q->qdisc) {