netem: fix possible NULL deref in netem_dequeue()

commit aec0a40a6f7884 ("netem: use rb tree to implement the time queue")
added a regression if a child qdisc is attached to netem, as we perform
a NULL dereference.

Fix this by adding a temporary variable to cache
netem_skb_cb(skb)->time_to_send.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Dumazet 2013-07-03 14:04:14 -07:00 committed by David S. Miller
parent 9eb5bf838d
commit 36b7bfe09b

View File

@ -554,10 +554,13 @@ deliver:
}
p = rb_first(&q->t_root);
if (p) {
psched_time_t time_to_send;
skb = netem_rb_to_skb(p);
/* if more time remaining? */
if (netem_skb_cb(skb)->time_to_send <= psched_get_time()) {
time_to_send = netem_skb_cb(skb)->time_to_send;
if (time_to_send <= psched_get_time()) {
rb_erase(p, &q->t_root);
sch->q.qlen--;
@ -593,8 +596,7 @@ deliver:
if (skb)
goto deliver;
}
qdisc_watchdog_schedule(&q->watchdog,
netem_skb_cb(skb)->time_to_send);
qdisc_watchdog_schedule(&q->watchdog, time_to_send);
}
if (q->qdisc) {