From d5d20cebb20f380229f9caa4200010a159248886 Mon Sep 17 00:00:00 2001 From: Artem Boldariev Date: Fri, 4 Jun 2021 17:39:58 +0300 Subject: [PATCH] Fix a crash in the client-side DoH code (header processing callback) Support a situation in header processing callback when client side code could receive a belated response or part of it. That could happen when the HTTP/2 session was already closed, but there were some response data from server in flight. Other client-side nghttp2 callbacks code already handled this case. The bug became apparent after HTTP/2 write buffering was supported, leading to rare unit test failures. --- lib/isc/netmgr/http.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c index 502cc240da..e9285639cc 100644 --- a/lib/isc/netmgr/http.c +++ b/lib/isc/netmgr/http.c @@ -696,12 +696,22 @@ client_on_header_callback(nghttp2_session *ngsession, REQUIRE(VALID_HTTP2_SESSION(session)); REQUIRE(session->client); - REQUIRE(!ISC_LIST_EMPTY(session->cstreams)); UNUSED(flags); UNUSED(ngsession); cstream = find_http_cstream(frame->hd.stream_id, session); + if (cstream == NULL) { + /* + * This could happen in two cases: + * - the server sent us bad data, or + * - we closed the session prematurely before receiving all + * responses (i.e., because of a belated or partial response). + */ + return (NGHTTP2_ERR_CALLBACK_FAILURE); + } + + INSIST(!ISC_LIST_EMPTY(session->cstreams)); switch (frame->hd.type) { case NGHTTP2_HEADERS: