BUG/MAJOR: h2: always remove a stream from the send list before freeing it

When a stream is aborted on timeout or any reason initiated by the stream,
and this stream was subscribed to the send list, we forgot to detach it
when freeing it, resulting in a dead node remaining present in the send
list with all usual funny consequences (memory corruption, crashes, etc).
Let's simply unconditionally delete the stream.

diff --git a/src/mux_h2.c b/src/mux_h2.c
index eb8dd0ed4496486debe7f1ab25084377956c6f62..57f1dfe0a923fcdfcc5d34cc6fe246dbab3f0304 100644 (file)
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -2267,6 +2267,9 @@ static void h2_detach(struct conn_stream *cs)
        if (h2s->flags & (H2_SF_BLK_MBUSY | H2_SF_BLK_MROOM | H2_SF_BLK_MFCTL))
                return;
 
+       /* the stream could be in the send list */
+       LIST_DEL(&h2s->list);
+
        if ((h2c->flags & H2_CF_DEM_BLOCK_ANY && h2s->id == h2c->dsi) ||
            (h2c->flags & H2_CF_MUX_BLOCK_ANY && h2s->id == h2c->msi)) {
                /* unblock the connection if it was blocked on this