Unverified Commit 304bb2f7 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

Curl_http2_done: fix memleak in error path 

Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for
early failures.

Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669
Closes #3046
parent 4058cf2a

lib/http2.c

+8 −6
Original line number Diff line number Diff line
@@ -1142,12 +1142,8 @@ void Curl_http2_done(struct connectdata *conn, bool premature) 
  struct HTTP *http = data->req.protop;

  struct http_conn *httpc = &conn->proto.httpc;



  if(!httpc->h2) /* not HTTP/2 ? */

    return;



  if(data->state.drain)

    drained_transfer(data, httpc);



  /* there might be allocated resources done before this got the 'h2' pointer

     setup */

  if(http->header_recvbuf) {

    Curl_add_buffer_free(&http->header_recvbuf);

    Curl_add_buffer_free(&http->trailer_recvbuf);
@@ -1161,6 +1157,12 @@ void Curl_http2_done(struct connectdata *conn, bool premature) 
    }

  }



  if(!httpc->h2) /* not HTTP/2 ? */

    return;



  if(data->state.drain)

    drained_transfer(data, httpc);



  if(premature) {

    /* RST_STREAM */

    if(!nghttp2_submit_rst_stream(httpc->h2, NGHTTP2_FLAG_NONE,