[libsoup/carlosgc/http2-crash] http2: do not try a write after the last data frame

From: Carlos Garcia Campos <carlosgc src gnome org>
To: commits-list gnome org
Cc:
Subject: [libsoup/carlosgc/http2-crash] http2: do not try a write after the last data frame
Date: Sat, 26 Mar 2022 19:21:12 +0000 (UTC)


commit 4ca3885565838509f63f4630597fb5e10a3ba0e9
Author: Carlos Garcia Campos <cgarcia igalia com>
Date:   Sat Mar 26 10:29:14 2022 +0100

    http2: do not try a write after the last data frame
    
    It crashes accessing data->item because the stream is closed at this
    point.
    
    Fixes #272

 libsoup/http2/soup-client-message-io-http2.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)
---
diff --git a/libsoup/http2/soup-client-message-io-http2.c b/libsoup/http2/soup-client-message-io-http2.c
index 0426a142..e0d96241 100644
--- a/libsoup/http2/soup-client-message-io-http2.c
+++ b/libsoup/http2/soup-client-message-io-http2.c
@@ -759,16 +759,19 @@ on_frame_recv_callback (nghttp2_session     *session,
         case NGHTTP2_DATA:
                 if (data->metrics)
                         data->metrics->response_body_bytes_received += frame->data.hd.length + 
FRAME_HEADER_SIZE;
-                if (frame->hd.flags & NGHTTP2_FLAG_END_STREAM && data->body_istream) {
-                        soup_body_input_stream_http2_complete (SOUP_BODY_INPUT_STREAM_HTTP2 
(data->body_istream));
-                        if (data->state == STATE_READ_DATA_START) {
-                                io_try_sniff_content (data, FALSE, data->item->cancellable);
-                                if (data->state == STATE_READ_DATA && data->item->async)
-                                        soup_http2_message_data_check_status (data);
+                if (frame->hd.flags & NGHTTP2_FLAG_END_STREAM) {
+                        if (data->body_istream) {
+                                soup_body_input_stream_http2_complete (SOUP_BODY_INPUT_STREAM_HTTP2 
(data->body_istream));
+                                if (data->state == STATE_READ_DATA_START) {
+                                        io_try_sniff_content (data, FALSE, data->item->cancellable);
+                                        if (data->state == STATE_READ_DATA && data->item->async)
+                                                soup_http2_message_data_check_status (data);
+                                }
                         }
+                } else {
+                        /* Try to write after every data frame, since nghttp2 might need to send a window 
update. */
+                        io_try_write (io, !data->item->async);
                 }
-                /* Try to write after every data frame, since nghttp2 might need to send a window update. */
-                io_try_write (io, !data->item->async);
                 break;
         case NGHTTP2_RST_STREAM:
                 if (frame->rst_stream.error_code != NGHTTP2_NO_ERROR) {

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]