From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 25 Sep 2018 09:48:43 +0000 (+0200)
Subject: Curl_http2_done: fix memleak in error path
X-Git-Tag: curl-7_62_0~136
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=304bb2f7c1b463373aa31c1530144c67f6afddb2;p=thirdparty%2Fcurl.git

Curl_http2_done: fix memleak in error path

Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for
early failures.

Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669
Closes #3046
---

diff --git a/lib/http2.c b/lib/http2.c
index b1a8213bd2..29edfba7a4 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -1142,12 +1142,8 @@ void Curl_http2_done(struct connectdata *conn, bool premature)
   struct HTTP *http = data->req.protop;
   struct http_conn *httpc = &conn->proto.httpc;
 
-  if(!httpc->h2) /* not HTTP/2 ? */
-    return;
-
-  if(data->state.drain)
-    drained_transfer(data, httpc);
-
+  /* there might be allocated resources done before this got the 'h2' pointer
+     setup */
   if(http->header_recvbuf) {
     Curl_add_buffer_free(&http->header_recvbuf);
     Curl_add_buffer_free(&http->trailer_recvbuf);
@@ -1161,6 +1157,12 @@ void Curl_http2_done(struct connectdata *conn, bool premature)
     }
   }
 
+  if(!httpc->h2) /* not HTTP/2 ? */
+    return;
+
+  if(data->state.drain)
+    drained_transfer(data, httpc);
+
   if(premature) {
     /* RST_STREAM */
     if(!nghttp2_submit_rst_stream(httpc->h2, NGHTTP2_FLAG_NONE,