From 01d4cb5339689a9ffe80924cbb2704cbb646ea82 Mon Sep 17 00:00:00 2001 From: Olivier Houchard Date: Mon, 25 Mar 2019 13:25:02 +0100 Subject: [PATCH] BUG/MEDIUM: h2: only destroy the h2s if h2s->cs is NULL. In h2_deferred_shut(), only attempt to destroy the h2s if h2s->cs is NULL. h2s->cs being non-NULL means it's still referenced by the stream interface, so it may try to use it later, and that could lead to a crash. This should be backported to 1.9. --- src/mux_h2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mux_h2.c b/src/mux_h2.c index ab8504ecc..273bb9201 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -3233,7 +3233,7 @@ static struct task *h2_deferred_shut(struct task *t, void *ctx, unsigned short s ret |= h2_do_shutr(h2s); /* We're no longer trying to send anything, let's destroy the h2s */ - if (!ret) { + if (!ret && (h2s->cs == NULL)) { struct h2c *h2c = h2s->h2c; h2s_destroy(h2s);