netem: fix possible NULL deref in netem_dequeue()

commit aec0a40 ("netem: use rb tree to implement the time queue") added a regression if a child qdisc is attached to netem, as we perform a NULL dereference. Fix this by adding a temporary variable to cache netem_skb_cb(skb)->time_to_send. Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Eric Dumazet <[email protected]> Signed-off-by: David S. Miller <[email protected]>
josf · Jul 3, 2013 · 36b7bfe · 36b7bfe
1 parent 9eb5bf8
commit 36b7bfe
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
@@ -554,10 +554,13 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
 	}
 	p = rb_first(&q->t_root);
 	if (p) {
+		psched_time_t time_to_send;
+
 		skb = netem_rb_to_skb(p);
 
 		/* if more time remaining? */
-		if (netem_skb_cb(skb)->time_to_send <= psched_get_time()) {
+		time_to_send = netem_skb_cb(skb)->time_to_send;
+		if (time_to_send <= psched_get_time()) {
 			rb_erase(p, &q->t_root);
 
 			sch->q.qlen--;
@@ -593,8 +596,7 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
 			if (skb)
 				goto deliver;
 		}
-		qdisc_watchdog_schedule(&q->watchdog,
-					netem_skb_cb(skb)->time_to_send);
+		qdisc_watchdog_schedule(&q->watchdog, time_to_send);
 	}
 
 	if (q->qdisc) {