Skip to content

http2: clear the h2 session at delete#20975

Closed
bagder wants to merge 1 commit intomasterfrom
bagder/http2-null
Closed

http2: clear the h2 session at delete#20975
bagder wants to merge 1 commit intomasterfrom
bagder/http2-null

Conversation

@bagder
Copy link
Copy Markdown
Member

@bagder bagder commented Mar 18, 2026

When calling nghttp2 to delete session, clear the pointer to avoid risk of UAF.

Pointed out by Codex Security

@bagder
http2: clear the h2 session at delete
c2a6e12 
When calling nghttp2 to delete session, clear the pointer to avoid risk
of UAF.

Pointed out by Codex Security
@bagder bagder requested review from Copilot and icing March 18, 2026 09:16
@bagder bagder added the HTTP/2 label Mar 18, 2026
@github-actions github-actions bot added the HTTP label Mar 18, 2026
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR mitigates a potential use-after-free risk in the HTTP/2 (nghttp2) connection filter by clearing the session pointer immediately after destroying the nghttp2 session.

Changes:

  • After calling nghttp2_session_del(), explicitly set ctx->h2 = NULL to prevent accidental reuse of a freed session pointer.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@bagder bagder marked this pull request as ready for review March 18, 2026 09:17
@icing
Copy link
Copy Markdown
Contributor

icing commented Mar 18, 2026

There is no code path where this "risking" happens. The improvement is valid, protecting from future call paths that may trigger this.

@bagder bagder closed this in a43ea59 Mar 18, 2026
@bagder bagder deleted the bagder/http2-null branch March 18, 2026 09:35
dkarpov1970 pushed a commit to dkarpov1970/curl that referenced this pull request Mar 25, 2026
@bagder
http2: clear the h2 session at delete
3ed7232 
When calling nghttp2 to delete session, clear the pointer to avoid risk
of UAF.

Pointed out by Codex Security

Closes curl#20975
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@icing icing icing approved these changes

Assignees

No one assigned

Labels

HTTP HTTP/2

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bagder @icing