From bcdc6cc15b86dc89de4ca55244a2152386f1d1f1 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 20 Mar 2023 19:14:47 +0100 Subject: [PATCH] BUG/MEDIUM: mux-h2: do not try to free an unallocated h2s->sd In h2s_close() we may dereference h2s->sd to get the sc, but this function may be called on allocation error paths, so we must check for this specific condition. Let's also update the comment to make it explicitly permitted. This needs to be backported to 2.6. --- src/mux_h2.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/mux_h2.c b/src/mux_h2.c index c2c9b21426..1d4dd3a756 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -1397,7 +1397,9 @@ static int h2_fragment_headers(struct buffer *b, uint32_t mfs) /* marks stream as CLOSED and decrement the number of active streams for * its connection if the stream was not yet closed. Please use this exclusively - * before closing a stream to ensure stream count is well maintained. + * before closing a stream to ensure stream count is well maintained. Note that + * it does explicitly support being called with a partially initialized h2s + * (e.g. sd==NULL). */ static inline void h2s_close(struct h2s *h2s) { @@ -1406,7 +1408,7 @@ static inline void h2s_close(struct h2s *h2s) h2s->h2c->nb_streams--; if (!h2s->id) h2s->h2c->nb_reserved--; - if (h2s_sc(h2s)) { + if (h2s->sd && h2s_sc(h2s)) { if (!se_fl_test(h2s->sd, SE_FL_EOS) && !b_data(&h2s->rxbuf)) h2s_notify_recv(h2s); } -- 2.47.3