http2: fixup http2stream cleanup and other nits

jasnell · evanlucas · commit 354f2d97ff90 · 2018-06-11T17:56:00.000-05:00
This fixes CVE-2018-7161. PR-URL: https://github.com/nodejs-private/node-private/pull/123 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
diff --git a/src/node_http2.cc b/src/node_http2.cc
@@ -548,6 +548,8 @@ Http2Session::~Http2Session() {
     ClearWrap(object());
   persistent().Reset();
   CHECK(persistent().IsEmpty());
+  for (const auto& iter : streams_)
+    iter.second->session_ = nullptr;
   Unconsume();
   DEBUG_HTTP2SESSION(this, "freeing nghttp2 session");
   nghttp2_session_del(session_);
@@ -693,6 +695,8 @@ inline void Http2Session::AddStream(Http2Stream* stream) {
 
 
 inline void Http2Session::RemoveStream(Http2Stream* stream) {
+  if (streams_.empty() || stream == nullptr)
+    return;  // Nothing to remove, item was never added?
   streams_.erase(stream->id());
   DecrementCurrentSessionMemory(stream->self_size());
 }
@@ -1778,8 +1782,8 @@ Http2Stream::Http2Stream(
 
 
 Http2Stream::~Http2Stream() {
-  DEBUG_HTTP2STREAM(this, "tearing down stream");
   if (session_ != nullptr) {
+    DEBUG_HTTP2STREAM(this, "tearing down stream");
     session_->RemoveStream(this);
     session_ = nullptr;
   }
diff --git a/src/node_http2.h b/src/node_http2.h
@@ -723,8 +723,8 @@ class Http2Stream : public AsyncWrap,
   Statistics statistics_ = {};
 
  private:
-  Http2Session* session_;                       // The Parent HTTP/2 Session
-  int32_t id_;                                  // The Stream Identifier
+  Http2Session* session_ = nullptr;             // The Parent HTTP/2 Session
+  int32_t id_ = 0;                              // The Stream Identifier
   int32_t code_ = NGHTTP2_NO_ERROR;             // The RST_STREAM code (if any)
   int flags_ = NGHTTP2_STREAM_FLAG_NONE;        // Internal state flags
 
