From d790143d990859f4d5af2c5a9e9e0aac94baa69e Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 29 Dec 2017 11:34:40 +0100 Subject: [PATCH] BUG/MEDIUM: h2: ensure we always know the stream before sending a reset The recent patch introducing the H2_CS_FRAME_E state to emit stream resets was not totally correct in that in the rare case where there is no room left to emit the reset, the next call to process it later could use an uninitialized stream. This only affects responses to frames that are sent on closed streams though. This fix must be backported to 1.8. --- src/mux_h2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/mux_h2.c b/src/mux_h2.c index 16c3ba1be..71660f8e8 100644 --- a/src/mux_h2.c +++ b/src/mux_h2.c @@ -1808,12 +1808,12 @@ static void h2_process_demux(struct h2c *h2c) h2_skip_frame_hdr(h2c->dbuf); } - if (h2c->st0 == H2_CS_FRAME_E) - goto strm_err; - /* Only H2_CS_FRAME_P and H2_CS_FRAME_A here */ h2s = h2c_st_by_id(h2c, h2c->dsi); + if (h2c->st0 == H2_CS_FRAME_E) + goto strm_err; + if (h2s->st == H2_SS_IDLE && h2c->dft != H2_FT_HEADERS && h2c->dft != H2_FT_PRIORITY) { /* RFC7540#5.1: any frame other than HEADERS or PRIORITY in