Merge /httpd/httpd/trunk:r1930444

icing · icing · commit e41e84e08e61 · 2025-12-22T12:16:34.000Z
*) mod_http2: update to version 2.0.37 Prevent double purge of a stream, resulting in a double free. Fixes PR 69899. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1930796 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/changes-entries/h2_v2.0.37.txt b/changes-entries/h2_v2.0.37.txt
@@ -0,0 +1,4 @@
+  *) mod_http2: update to version 2.0.37
+     Prevent double purge of a stream, resulting in a double free.
+     Fixes PR 69899.
+     [Stefan Eissing]
diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c
@@ -126,12 +126,24 @@ int h2_mplx_c1_stream_is_running(h2_mplx *m, h2_stream *stream)
     return rv;
 }
 
+static int add_for_purge(h2_mplx *m, h2_stream *stream)
+{
+    int i;
+    for (i = 0; i < m->spurge->nelts; ++i) {
+        h2_stream *s = APR_ARRAY_IDX(m->spurge, i, h2_stream*);
+        if (s == stream)  /* already scheduled for purging */
+            return FALSE;
+    }
+    APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream;
+    return TRUE;
+}
+
 static void c1c2_stream_joined(h2_mplx *m, h2_stream *stream)
 {
     ap_assert(!stream_is_running(stream));
     
     h2_ihash_remove(m->shold, stream->id);
-    APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream;
+    add_for_purge(m, stream);
 }
 
 static void m_stream_cleanup(h2_mplx *m, h2_stream *stream)
@@ -164,7 +176,7 @@ static void m_stream_cleanup(h2_mplx *m, h2_stream *stream)
             ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1,
                           H2_STRM_MSG(stream, "cleanup, c2 is done, move to spurge"));
             /* processing has finished */
-            APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream;
+            add_for_purge(m, stream);
         }
         else {
             ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1,
@@ -178,9 +190,10 @@ static void m_stream_cleanup(h2_mplx *m, h2_stream *stream)
     }
     else {
         /* never started */
-        ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1,
-                      H2_STRM_MSG(stream, "cleanup, never started, move to spurge"));
-        APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream;
+        int added = add_for_purge(m, stream);
+        if (added)
+            ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1,
+                          H2_STRM_MSG(stream, "cleanup, never started, move to spurge"));
     }
 }
 
diff --git a/modules/http2/h2_version.h b/modules/http2/h2_version.h
@@ -27,15 +27,15 @@
  * @macro
  * Version number of the http2 module as c string
  */
-#define MOD_HTTP2_VERSION "2.0.35"
+#define MOD_HTTP2_VERSION "2.0.37"
 
 /**
  * @macro
  * Numerical representation of the version number of the http2 module
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_HTTP2_VERSION_NUM 0x020023
+#define MOD_HTTP2_VERSION_NUM 0x020025
 
 
 #endif /* mod_h2_h2_version_h */
