From: Willy Tarreau <w@1wt.eu>
Date: Tue, 11 Feb 2020 03:38:56 +0000 (+0100)
Subject: BUG/MAJOR: mux-h2: don't wake streams after connection was destroyed
X-Git-Tag: v2.2-dev3~95
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=508f98975838e8716e6531af8771c4e1ca46d693;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: mux-h2: don't wake streams after connection was destroyed

In commit 477902b ("MEDIUM: connections: Get ride of the xprt_done
callback.") we added an inconditional call to h2_wake_some_streams()
in h2_wake(), though we must not do it if the connection is destroyed
or we end up with a use-after-free. In this case it's already done in
h2_process() before destroying the connection anyway.

Let's just add this test for now. A cleaner approach might consist in
doing it in the h2_process() function itself when a connection status
change is detected.

No backport is needed, this is purely 2.2.
---

diff --git a/src/mux_h2.c b/src/mux_h2.c
index df7a4e680d..6b6f42ea3e 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -3650,7 +3650,8 @@ static int h2_wake(struct connection *conn)
 
 	TRACE_ENTER(H2_EV_H2C_WAKE, conn);
 	ret = h2_process(h2c);
-	h2_wake_some_streams(h2c, 0);
+	if (ret >= 0)
+		h2_wake_some_streams(h2c, 0);
 	TRACE_LEAVE(H2_EV_H2C_WAKE);
 	return ret;
 }