From cce39344610ce83956379d369cf42a514d5bc258 Mon Sep 17 00:00:00 2001
From: Valentin Bartenev <vbart@nginx.com>
Date: Tue, 23 May 2017 20:19:39 +0300
Subject: HTTP/2: fixed segfault when memory allocation failed.

If allocation of cleanup handler in the HTTP/2 header filter failed, then
a stream might be freed with a HEADERS frame left in the output queue.

Now the HEADERS frame is accounted in the queue before trying to allocate
the cleanup handler.
---
 src/http/v2/ngx_http_v2_filter_module.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
index dac50463e..7276531ff 100644
--- a/src/http/v2/ngx_http_v2_filter_module.c
+++ b/src/http/v2/ngx_http_v2_filter_module.c
@@ -619,6 +619,8 @@ ngx_http_v2_header_filter(ngx_http_request_t *r)
 
     ngx_http_v2_queue_blocked_frame(r->stream->connection, frame);
 
+    r->stream->queued = 1;
+
     cln = ngx_http_cleanup_add(r, 0);
     if (cln == NULL) {
         return NGX_ERROR;
@@ -627,8 +629,6 @@ ngx_http_v2_header_filter(ngx_http_request_t *r)
     cln->handler = ngx_http_v2_filter_cleanup;
     cln->data = r->stream;
 
-    r->stream->queued = 1;
-
     fc->send_chain = ngx_http_v2_send_chain;
     fc->need_last_buf = 1;
 
-- 
cgit