BUG/MEDIUM: h2: only destroy the h2s if h2s->cs is NULL.

In h2_deferred_shut(), only attempt to destroy the h2s if h2s->cs is NULL.
h2s->cs being non-NULL means it's still referenced by the stream interface,
so it may try to use it later, and that could lead to a crash.

This should be backported to 1.9.

diff --git a/src/mux_h2.c b/src/mux_h2.c
index ab8504ecc35997840efe9a9eb52d23ca67e85a9c..273bb920181c87c119ee54ead653c03152359804 100644 (file)
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -3233,7 +3233,7 @@ static struct task *h2_deferred_shut(struct task *t, void *ctx, unsigned short s
                ret |= h2_do_shutr(h2s);
 
        /* We're no longer trying to send anything, let's destroy the h2s */
-       if (!ret) {
+       if (!ret && (h2s->cs == NULL)) {
                struct h2c *h2c = h2s->h2c;
                h2s_destroy(h2s);