Curl_http2_done: fix memleak in error path

Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for early failures. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669 Closes #3046
author: Daniel Stenberg <daniel@haxx.se> 2018-09-25 11:48:43 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2018-09-25 17:03:45 +0200
commit: 304bb2f7c1b463373aa31c1530144c67f6afddb2 (patch)
tree: 40f4695836f14ace7d589df0ede10a695d0bd62b /lib
parent: 4058cf2a7f7e2590c26588c4eb476ac5c029cb5a (diff)
download: curl-304bb2f7c1b463373aa31c1530144c67f6afddb2.tar.gz
1 files changed, 8 insertions, 6 deletions
diff --git a/lib/http2.c b/lib/http2.c
index b1a8213bd..29edfba7a 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -1142,12 +1142,8 @@ void Curl_http2_done(struct connectdata *conn, bool premature)
   struct HTTP *http = data->req.protop;
   struct http_conn *httpc = &conn->proto.httpc;
 
-  if(!httpc->h2) /* not HTTP/2 ? */
-    return;
-
-  if(data->state.drain)
-    drained_transfer(data, httpc);
-
+  /* there might be allocated resources done before this got the 'h2' pointer
+     setup */
   if(http->header_recvbuf) {
     Curl_add_buffer_free(&http->header_recvbuf);
     Curl_add_buffer_free(&http->trailer_recvbuf);
@@ -1161,6 +1157,12 @@ void Curl_http2_done(struct connectdata *conn, bool premature)
     }
   }
 
+  if(!httpc->h2) /* not HTTP/2 ? */
+    return;
+
+  if(data->state.drain)
+    drained_transfer(data, httpc);
+
   if(premature) {
     /* RST_STREAM */
     if(!nghttp2_submit_rst_stream(httpc->h2, NGHTTP2_FLAG_NONE,
author	Daniel Stenberg <daniel@haxx.se>	2018-09-25 11:48:43 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2018-09-25 17:03:45 +0200
commit	304bb2f7c1b463373aa31c1530144c67f6afddb2 (patch)
tree	40f4695836f14ace7d589df0ede10a695d0bd62b /lib
parent	4058cf2a7f7e2590c26588c4eb476ac5c029cb5a (diff)
download	curl-304bb2f7c1b463373aa31c1530144c67f6afddb2.tar.gz