From: Olivier Houchard <ohouchard@haproxy.com>
Date: Mon, 25 Mar 2019 12:25:02 +0000 (+0100)
Subject: BUG/MEDIUM: h2: only destroy the h2s if h2s->cs is NULL.
X-Git-Tag: v2.0-dev2~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=01d4cb5339689a9ffe80924cbb2704cbb646ea82;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: h2: only destroy the h2s if h2s->cs is NULL.

In h2_deferred_shut(), only attempt to destroy the h2s if h2s->cs is NULL.
h2s->cs being non-NULL means it's still referenced by the stream interface,
so it may try to use it later, and that could lead to a crash.

This should be backported to 1.9.
---

diff --git a/src/mux_h2.c b/src/mux_h2.c
index ab8504ecc3..273bb92018 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -3233,7 +3233,7 @@ static struct task *h2_deferred_shut(struct task *t, void *ctx, unsigned short s
 		ret |= h2_do_shutr(h2s);
 
 	/* We're no longer trying to send anything, let's destroy the h2s */
-	if (!ret) {
+	if (!ret && (h2s->cs == NULL)) {
 		struct h2c *h2c = h2s->h2c;
 		h2s_destroy(h2s);