HTTP/2: fixed segfault when memory allocation failed.

If allocation of cleanup handler in the HTTP/2 header filter failed, then
a stream might be freed with a HEADERS frame left in the output queue.

Now the HEADERS frame is accounted in the queue before trying to allocate
the cleanup handler.

diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
index dac50463e8103eb5c08e962a5942fff73aa87e6e..7276531ffa395066fb1c30d57e60da08d0ae9c86 100644 (file)
--- a/src/http/v2/ngx_http_v2_filter_module.c
+++ b/src/http/v2/ngx_http_v2_filter_module.c
@@ -619,6 +619,8 @@ ngx_http_v2_header_filter(ngx_http_request_t *r)
 
     ngx_http_v2_queue_blocked_frame(r->stream->connection, frame);
 
+    r->stream->queued = 1;
+
     cln = ngx_http_cleanup_add(r, 0);
     if (cln == NULL) {
         return NGX_ERROR;
@@ -627,8 +629,6 @@ ngx_http_v2_header_filter(ngx_http_request_t *r)
     cln->handler = ngx_http_v2_filter_cleanup;
     cln->data = r->stream;
 
-    r->stream->queued = 1;
-
     fc->send_chain = ngx_http_v2_send_chain;
     fc->need_last_buf = 1;