From: Willy Tarreau <w@1wt.eu>
Date: Thu, 23 Nov 2017 17:12:50 +0000 (+0100)
Subject: BUG/MAJOR: h2: always remove a stream from the send list before freeing it
X-Git-Tag: v1.8.0~53
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=541dd82879b686dd208e8823154fb07bd945fb85;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: h2: always remove a stream from the send list before freeing it

When a stream is aborted on timeout or any reason initiated by the stream,
and this stream was subscribed to the send list, we forgot to detach it
when freeing it, resulting in a dead node remaining present in the send
list with all usual funny consequences (memory corruption, crashes, etc).
Let's simply unconditionally delete the stream.
---

diff --git a/src/mux_h2.c b/src/mux_h2.c
index eb8dd0ed44..57f1dfe0a9 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -2267,6 +2267,9 @@ static void h2_detach(struct conn_stream *cs)
 	if (h2s->flags & (H2_SF_BLK_MBUSY | H2_SF_BLK_MROOM | H2_SF_BLK_MFCTL))
 		return;
 
+	/* the stream could be in the send list */
+	LIST_DEL(&h2s->list);
+
 	if ((h2c->flags & H2_CF_DEM_BLOCK_ANY && h2s->id == h2c->dsi) ||
 	    (h2c->flags & H2_CF_MUX_BLOCK_ANY && h2s->id == h2c->msi)) {
 		/* unblock the connection if it was blocked on this