From 541dd82879b686dd208e8823154fb07bd945fb85 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 23 Nov 2017 18:12:50 +0100
Subject: [PATCH] BUG/MAJOR: h2: always remove a stream from the send list
 before freeing it

When a stream is aborted on timeout or any reason initiated by the stream,
and this stream was subscribed to the send list, we forgot to detach it
when freeing it, resulting in a dead node remaining present in the send
list with all usual funny consequences (memory corruption, crashes, etc).
Let's simply unconditionally delete the stream.
---
 src/mux_h2.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/mux_h2.c b/src/mux_h2.c
index eb8dd0ed4..57f1dfe0a 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -2267,6 +2267,9 @@ static void h2_detach(struct conn_stream *cs)
 	if (h2s->flags & (H2_SF_BLK_MBUSY | H2_SF_BLK_MROOM | H2_SF_BLK_MFCTL))
 		return;
 
+	/* the stream could be in the send list */
+	LIST_DEL(&h2s->list);
+
 	if ((h2c->flags & H2_CF_DEM_BLOCK_ANY && h2s->id == h2c->dsi) ||
 	    (h2c->flags & H2_CF_MUX_BLOCK_ANY && h2s->id == h2c->msi)) {
 		/* unblock the connection if it was blocked on this