From 828159fcd4f198d9ec30df778c36f99ac1ed09e1 Mon Sep 17 00:00:00 2001 From: James M Snell Date: Thu, 31 May 2018 15:26:12 -0700 Subject: [PATCH] http2: fixup http2stream cleanup and other nits This fixes CVE-2018-7161. PR-URL: https://github.com/nodejs-private/node-private/pull/122 Reviewed-By: Evan Lucas Reviewed-By: Michael Dawson --- src/node_http2.cc | 6 +++++- src/node_http2.h | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/node_http2.cc b/src/node_http2.cc index 67c5c67982a178..c51f9453a224d5 100644 --- a/src/node_http2.cc +++ b/src/node_http2.cc @@ -500,6 +500,8 @@ Http2Session::Http2Session(Environment* env, Http2Session::~Http2Session() { CHECK_EQ(flags_ & SESSION_STATE_HAS_SCOPE, 0); DEBUG_HTTP2SESSION(this, "freeing nghttp2 session"); + for (const auto& iter : streams_) + iter.second->session_ = nullptr; nghttp2_session_del(session_); } @@ -643,6 +645,8 @@ inline void Http2Session::AddStream(Http2Stream* stream) { inline void Http2Session::RemoveStream(Http2Stream* stream) { + if (streams_.empty() || stream == nullptr) + return; // Nothing to remove, item was never added? streams_.erase(stream->id()); DecrementCurrentSessionMemory(stream->self_size()); } @@ -1697,8 +1701,8 @@ Http2Stream::Http2Stream( Http2Stream::~Http2Stream() { - DEBUG_HTTP2STREAM(this, "tearing down stream"); if (session_ != nullptr) { + DEBUG_HTTP2STREAM(this, "tearing down stream"); session_->RemoveStream(this); session_ = nullptr; } diff --git a/src/node_http2.h b/src/node_http2.h index 780bdc8c6e1919..91c19b65e54343 100644 --- a/src/node_http2.h +++ b/src/node_http2.h @@ -721,8 +721,8 @@ class Http2Stream : public AsyncWrap, Statistics statistics_ = {}; private: - Http2Session* session_; // The Parent HTTP/2 Session - int32_t id_; // The Stream Identifier + Http2Session* session_ = nullptr; // The Parent HTTP/2 Session + int32_t id_ = 0; // The Stream Identifier int32_t code_ = NGHTTP2_NO_ERROR; // The RST_STREAM code (if any) int flags_ = NGHTTP2_STREAM_FLAG_NONE; // Internal state flags