首頁 探索 說明
登入
GfA
/
linux_kernel
5
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
瀏覽代碼

netem: fix possible NULL deref in netem_dequeue()

commit aec0a40a6f7884 ("netem: use rb tree to implement the time queue")
added a regression if a child qdisc is attached to netem, as we perform
a NULL dereference.

Fix this by adding a temporary variable to cache
netem_skb_cb(skb)->time_to_send.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet 12 年之前
父節點
9eb5bf838d
當前提交
36b7bfe09b
共有 1 個文件被更改,包括 5 次插入3 次删除
統一視圖 顯示文件統計
  1. 5 3
      net/sched/sch_netem.c

+ 5 - 3
net/sched/sch_netem.c
查看文件 

@@ -554,10 +554,13 @@ deliver:
 
 	}
 
 	}
 
 	p = rb_first(&q->t_root);
 
 	p = rb_first(&q->t_root);
 
 	if (p) {
 
 	if (p) {
 
+		psched_time_t time_to_send;
 
+
 
 		skb = netem_rb_to_skb(p);
 
 		skb = netem_rb_to_skb(p);
 
 
 
 		/* if more time remaining? */
 
 		/* if more time remaining? */
 
-		if (netem_skb_cb(skb)->time_to_send <= psched_get_time()) {
 
+		time_to_send = netem_skb_cb(skb)->time_to_send;
 
+		if (time_to_send <= psched_get_time()) {
 
 			rb_erase(p, &q->t_root);
 
 			rb_erase(p, &q->t_root);
 
 
 
 			sch->q.qlen--;
 
 			sch->q.qlen--;
 
@@ -593,8 +596,7 @@ deliver:
 
 			if (skb)
 
 			if (skb)
 
 				goto deliver;
 
 				goto deliver;
 
 		}
 
 		}
 
-		qdisc_watchdog_schedule(&q->watchdog,
 
-					netem_skb_cb(skb)->time_to_send);
 
+		qdisc_watchdog_schedule(&q->watchdog, time_to_send);
 
 	}
 
 	}
 
 
 
 	if (q->qdisc) {
 
 	if (q->qdisc) {