From 94121e7cd7e84325347a4a5cf76d03e51510a4a1 Mon Sep 17 00:00:00 2001 From: Martin Stein Date: Wed, 19 Jan 2022 10:27:53 +0100 Subject: [PATCH] uplink_client_base: no deref of invalid connection Imagine receiving the signal for an available TX ack or an available RX packet at the Uplink connection but a later received signal for a link-state change (to link state "down") at the same connection is handled first and destructs the Uplink connection before the handling of the former signals. In this case, the methods 'Uplink_client_base::_conn_tx_handle_ack_avail' and 'Uplink_client_base::_conn_rx_handle_packet_avail' must be guarded against an unconstructed '_conn' member, but they weren't so far. Fixes #4384 --- .../drivers/nic/include/drivers/nic/uplink_client_base.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/repos/os/src/drivers/nic/include/drivers/nic/uplink_client_base.h b/repos/os/src/drivers/nic/include/drivers/nic/uplink_client_base.h index 56c921c825..543b47431d 100644 --- a/repos/os/src/drivers/nic/include/drivers/nic/uplink_client_base.h +++ b/repos/os/src/drivers/nic/include/drivers/nic/uplink_client_base.h @@ -59,6 +59,9 @@ class Genode::Uplink_client_base : Noncopyable void _conn_tx_handle_ack_avail() { + if (!_conn.constructed()) { + return; + } while (_conn->tx()->ack_avail()) { _conn->tx()->release_packet(_conn->tx()->get_acked_packet()); @@ -67,6 +70,9 @@ class Genode::Uplink_client_base : Noncopyable void _conn_rx_handle_packet_avail() { + if (!_conn.constructed()) { + return; + } bool drv_ready_to_transmit_pkt { _drv_link_state }; bool pkts_transmitted { false };