BUG/MEDIUM: mux-h2: do not try to free an unallocated h2s->sd

In h2s_close() we may dereference h2s->sd to get the sc, but this
function may be called on allocation error paths, so we must check
for this specific condition. Let's also update the comment to make
it explicitly permitted.

This needs to be backported to 2.6.

diff --git a/src/mux_h2.c b/src/mux_h2.c
index c2c9b21426e1975d3e2910dcb3b605bdf7f4cdc3..1d4dd3a756e3c07efb7f5d0b7451dbc4268509f0 100644 (file)
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -1397,7 +1397,9 @@ static int h2_fragment_headers(struct buffer *b, uint32_t mfs)
 
 /* marks stream <h2s> as CLOSED and decrement the number of active streams for
  * its connection if the stream was not yet closed. Please use this exclusively
- * before closing a stream to ensure stream count is well maintained.
+ * before closing a stream to ensure stream count is well maintained. Note that
+ * it does explicitly support being called with a partially initialized h2s
+ * (e.g. sd==NULL).
  */
 static inline void h2s_close(struct h2s *h2s)
 {
@@ -1406,7 +1408,7 @@ static inline void h2s_close(struct h2s *h2s)
                h2s->h2c->nb_streams--;
                if (!h2s->id)
                        h2s->h2c->nb_reserved--;
-               if (h2s_sc(h2s)) {
+               if (h2s->sd && h2s_sc(h2s)) {
                        if (!se_fl_test(h2s->sd, SE_FL_EOS) && !b_data(&h2s->rxbuf))
                                h2s_notify_recv(h2s);
                }