Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 36b7bfe0 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

netem: fix possible NULL deref in netem_dequeue() 



commit aec0a40a ("netem: use rb tree to implement the time queue")
added a regression if a child qdisc is attached to netem, as we perform
a NULL dereference.

Fix this by adding a temporary variable to cache
netem_skb_cb(skb)->time_to_send.

Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9eb5bf83

net/sched/sch_netem.c

+5 −3
Original line number Diff line number Diff line
@@ -554,10 +554,13 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch) 
	}

	p = rb_first(&q->t_root);

	if (p) {

		psched_time_t time_to_send;



		skb = netem_rb_to_skb(p);



		/* if more time remaining? */

		if (netem_skb_cb(skb)->time_to_send <= psched_get_time()) {

		time_to_send = netem_skb_cb(skb)->time_to_send;

		if (time_to_send <= psched_get_time()) {

			rb_erase(p, &q->t_root);



			sch->q.qlen--;
@@ -593,8 +596,7 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch) 
			if (skb)

				goto deliver;

		}

		qdisc_watchdog_schedule(&q->watchdog,

					netem_skb_cb(skb)->time_to_send);

		qdisc_watchdog_schedule(&q->watchdog, time_to_send);

	}



	if (q->qdisc) {