http2: fixup http2stream cleanup and other nits

This fixes CVE-2018-7161. PR-URL: https://github.com/nodejs-private/node-private/pull/115 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Evan Lucas <evanlucas@me.com>
nodejs · Jun 12, 2018 · 8681402 · 8681402
1 parent 9ba8ed1
commit 8681402
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/src/node_http2.cc b/src/node_http2.cc
@@ -499,6 +499,8 @@ Http2Session::Http2Session(Environment* env,
 Http2Session::~Http2Session() {
   CHECK_EQ(flags_ & SESSION_STATE_HAS_SCOPE, 0);
   Debug(this, "freeing nghttp2 session");
+  for (const auto& iter : streams_)
+    iter.second->session_ = nullptr;
   nghttp2_session_del(session_);
 }
 
@@ -651,6 +653,8 @@ inline void Http2Session::AddStream(Http2Stream* stream) {
 
 
 inline void Http2Session::RemoveStream(Http2Stream* stream) {
+  if (streams_.empty() || stream == nullptr)
+    return;  // Nothing to remove, item was never added?
   streams_.erase(stream->id());
   DecrementCurrentSessionMemory(stream->self_size());
 }

diff --git a/src/node_http2.h b/src/node_http2.h
@@ -651,8 +651,8 @@ class Http2Stream : public AsyncWrap,
   Statistics statistics_ = {};
 
  private:
-  Http2Session* session_;                       // The Parent HTTP/2 Session
-  int32_t id_;                                  // The Stream Identifier
+  Http2Session* session_ = nullptr;             // The Parent HTTP/2 Session
+  int32_t id_ = 0;                              // The Stream Identifier
   int32_t code_ = NGHTTP2_NO_ERROR;             // The RST_STREAM code (if any)
   int flags_ = NGHTTP2_STREAM_FLAG_NONE;        // Internal state flags