From: Willy Tarreau Date: Mon, 20 Mar 2023 18:14:47 +0000 (+0100) Subject: BUG/MEDIUM: mux-h2: do not try to free an unallocated h2s->sd X-Git-Tag: v2.8-dev6~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bcdc6cc15b86dc89de4ca55244a2152386f1d1f1;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: mux-h2: do not try to free an unallocated h2s->sd In h2s_close() we may dereference h2s->sd to get the sc, but this function may be called on allocation error paths, so we must check for this specific condition. Let's also update the comment to make it explicitly permitted. This needs to be backported to 2.6. --- diff --git a/src/mux_h2.c b/src/mux_h2.c index c2c9b21426..1d4dd3a756 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -1397,7 +1397,9 @@ static int h2_fragment_headers(struct buffer *b, uint32_t mfs) /* marks stream as CLOSED and decrement the number of active streams for * its connection if the stream was not yet closed. Please use this exclusively - * before closing a stream to ensure stream count is well maintained. + * before closing a stream to ensure stream count is well maintained. Note that + * it does explicitly support being called with a partially initialized h2s + * (e.g. sd==NULL). */ static inline void h2s_close(struct h2s *h2s) { @@ -1406,7 +1408,7 @@ static inline void h2s_close(struct h2s *h2s) h2s->h2c->nb_streams--; if (!h2s->id) h2s->h2c->nb_reserved--; - if (h2s_sc(h2s)) { + if (h2s->sd && h2s_sc(h2s)) { if (!se_fl_test(h2s->sd, SE_FL_EOS) && !b_data(&h2s->rxbuf)) h2s_notify_recv(h2s); }