aboutsummaryrefslogtreecommitdiffstats
path: root/net/sched/sch_netem.c
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2013-07-03 17:04:14 -0400
committerDavid S. Miller <davem@davemloft.net>2013-07-03 19:52:10 -0400
commit36b7bfe09b6deb71bf387852465245783c9a6208 (patch)
tree19b913e5a43e3010c8c8790c7aa87d0d5167dea1 /net/sched/sch_netem.c
parent9eb5bf838d06aa6ddebe4aca6b5cedcf2eb53b86 (diff)
netem: fix possible NULL deref in netem_dequeue()
commit aec0a40a6f7884 ("netem: use rb tree to implement the time queue") added a regression if a child qdisc is attached to netem, as we perform a NULL dereference. Fix this by adding a temporary variable to cache netem_skb_cb(skb)->time_to_send. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sched/sch_netem.c')
-rw-r--r--net/sched/sch_netem.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index ed0082cf8eff..82f6016d89ab 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -554,10 +554,13 @@ deliver:
554 } 554 }
555 p = rb_first(&q->t_root); 555 p = rb_first(&q->t_root);
556 if (p) { 556 if (p) {
557 psched_time_t time_to_send;
558
557 skb = netem_rb_to_skb(p); 559 skb = netem_rb_to_skb(p);
558 560
559 /* if more time remaining? */ 561 /* if more time remaining? */
560 if (netem_skb_cb(skb)->time_to_send <= psched_get_time()) { 562 time_to_send = netem_skb_cb(skb)->time_to_send;
563 if (time_to_send <= psched_get_time()) {
561 rb_erase(p, &q->t_root); 564 rb_erase(p, &q->t_root);
562 565
563 sch->q.qlen--; 566 sch->q.qlen--;
@@ -593,8 +596,7 @@ deliver:
593 if (skb) 596 if (skb)
594 goto deliver; 597 goto deliver;
595 } 598 }
596 qdisc_watchdog_schedule(&q->watchdog, 599 qdisc_watchdog_schedule(&q->watchdog, time_to_send);
597 netem_skb_cb(skb)->time_to_send);
598 } 600 }
599 601
600 if (q->qdisc) { 602 if (q->qdisc) {