From 759ca1eacc406bf32919964a9d1881cc761caf28 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Wed, 23 Jan 2019 14:39:41 +0100 Subject: [PATCH] BUG/MAJOR: mux-h2: don't destroy the stream on failed allocation in h2_snd_buf() In case we cannot allocate a stream ID for an outgoing stream, the stream will be aborted. The problem is that we also release it and it will be destroyed again by the application detecting the error, leading to a NULL dereference in h2_shutr() and h2_shutw(). Let's only mark the error on the CS and let the rest of the code handle the close. This should be backported to 1.9. --- src/mux_h2.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/mux_h2.c b/src/mux_h2.c index acc38e8e2..47f0e8cc3 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -5141,9 +5141,7 @@ static size_t h2_snd_buf(struct conn_stream *cs, struct buffer *buf, size_t coun int32_t id = h2c_get_next_sid(h2s->h2c); if (id < 0) { - cs->ctx = NULL; cs->flags |= CS_FL_ERROR; - h2s_destroy(h2s); return 0; }