avoiding race where h2_stream is closed/reset by client while being unprocessed in...

author Stefan Eissing <icing@apache.org>

Wed, 23 Sep 2015 09:42:03 +0000 (09:42 +0000)

committer Stefan Eissing <icing@apache.org>

Wed, 23 Sep 2015 09:42:03 +0000 (09:42 +0000)
author Stefan Eissing <icing@apache.org>
Wed, 23 Sep 2015 09:42:03 +0000 (09:42 +0000)
committer Stefan Eissing <icing@apache.org>
Wed, 23 Sep 2015 09:42:03 +0000 (09:42 +0000)
diff --git a/modules/http2/h2_io.c b/modules/http2/h2_io.c

index 24d2a9feecddd2f233720ea173d34d55522946a4..42734430fa48f517a7aafa699918ee300efdaa9c 100644 (file)
--- a/modules/http2/h2_io.c
+++ b/modules/http2/h2_io.c
@@ -33,7 +33,6 @@ h2_io *h2_io_create(int id, apr_pool_t *pool, apr_bucket_alloc_t *bucket_alloc)
          io->pool = pool;
          io->bbin = NULL;
          io->bbout = apr_brigade_create(pool, bucket_alloc);
-        io->response = apr_pcalloc(pool, sizeof(h2_response));
      }
      return io;
  }
diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c

index c04b05e7729bd90d23f6205dd2af1c1c985ab915..2d07b1eb6c344c64ccbb6b87c3781adbe3076204 100644 (file)
--- a/modules/http2/h2_mplx.c
+++ b/modules/http2/h2_mplx.c
@@ -281,6 +281,7 @@ static void stream_destroy(h2_mplx *m, h2_stream *stream, h2_io *io)
           * file handle pool. */
          m->file_handles_allowed += io->files_handles_owned;
          h2_io_set_remove(m->stream_ios, io);
+        h2_io_set_remove(m->ready_ios, io);
          h2_io_destroy(io);
      }
  }
@@ -492,6 +493,8 @@ h2_stream *h2_mplx_next_submit(h2_mplx *m, h2_stream_set *streams)
          h2_io *io = h2_io_set_get_highest_prio(m->ready_ios);
          if (io) {
              h2_response *response = io->response;
+            
+            AP_DEBUG_ASSERT(response);
              h2_io_set_remove(m->ready_ios, io);
              
              stream = h2_stream_set_get(streams, response->stream_id);
@@ -564,6 +567,7 @@ static apr_status_t out_open(h2_mplx *m, int stream_id, h2_response *response,
          }
          
          io->response = h2_response_copy(io->pool, response);
+        AP_DEBUG_ASSERT(io->response);
          h2_io_set_add(m->ready_ios, io);
          if (bb) {
              status = out_write(m, io, f, bb, iowait);
@@ -641,7 +645,7 @@ apr_status_t h2_mplx_out_close(h2_mplx *m, int stream_id)
          if (!m->aborted) {
              h2_io *io = h2_io_set_get(m->stream_ios, stream_id);
              if (io) {
-                if (!io->response->ngheader) {
+                if (!io->response || !io->response->ngheader) {
                      /* In case a close comes before a response was created,
                       * insert an error one so that our streams can properly
                       * reset.
author	Stefan Eissing <icing@apache.org>
	Wed, 23 Sep 2015 09:42:03 +0000 (09:42 +0000)
committer	Stefan Eissing <icing@apache.org>
	Wed, 23 Sep 2015 09:42:03 +0000 (09:42 +0000)
modules/http2/h2_io.c		patch \| blob \| history
modules/http2/h2_mplx.c		patch \| blob \| history