From: Willy Tarreau Date: Thu, 5 Dec 2024 14:18:38 +0000 (+0100) Subject: BUG/MEDIUM: mux-h2: make sure not to touch dummy streams when sending WU X-Git-Tag: v3.2-dev1~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d649278fce9729415b31e873a3b91d6d0b259d16;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: mux-h2: make sure not to touch dummy streams when sending WU Since commit 1cc851d9f2 ("MEDIUM: mux-h2: start to update stream when sending WU") we started storing stream offsets in the h2s struct. These offsets are updated at a few points, where it's safe to write to the stream, and in h2c_send_strm_wu(), where the h2s->h2c was not performed. Due to this, nothing protects the h2s from being updated when sending a WU for a closed stream, which might only happen when acknowledging a frame after resetting that stream, which is quite unlikely. In any case if this happens, it will crash as in issue #2793 since the closed streams are purposely read-only to catch such bugs. The fix is trivial, just check h2s->h2c before deciding to update the stream. Thanks to @Wahnes for reporting this, and Christopher for spotting the cause. This needs to be backported to 3.1 only. --- diff --git a/src/mux_h2.c b/src/mux_h2.c index 970223c42b..9788753f6b 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -2991,7 +2991,7 @@ static int h2c_send_strm_wu(struct h2c *h2c) if (ret > 0) { h2c->wu_s = 0; h2s = h2c_st_by_id(h2c, h2c->dsi); - if (h2s) + if (h2s && h2s->h2c) h2s->last_adv_ofs = h2s->next_max_ofs; } out: