HTTP/2: fixed a segfault while processing unbuffered upload.

The ngx_http_v2_finalize_connection() closes current stream, but that is an
invalid operation while processing unbuffered upload.  This results in access
to already freed memory, since the upstream module sets a cleanup handler that
also finalizes the request.

diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 208f0f325abba20a043977a63d1ae4695a368e49..94f57a717361bb739ac95eda20324cb2dd59fd2a 100644 (file)
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -4169,10 +4169,6 @@ ngx_http_v2_finalize_connection(ngx_http_v2_connection_t *h2c,
 
     c->error = 1;
 
-    if (h2c->state.stream) {
-        ngx_http_v2_close_stream(h2c->state.stream, NGX_HTTP_BAD_REQUEST);
-    }
-
     if (!h2c->processing) {
         ngx_http_close_connection(c);
         return;