Skip to content

http2: avoid uaf while receiving and sending rst_stream#64166

Open
Eusgor wants to merge 1 commit into
nodejs:mainfrom
Eusgor:main
Open

http2: avoid uaf while receiving and sending rst_stream#64166
Eusgor wants to merge 1 commit into
nodejs:mainfrom
Eusgor:main

Conversation

@Eusgor

@Eusgor Eusgor commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Mark the session as receiving around nghttp2_session_mem_recv() and defer RST_STREAM handling while receive is in progress. This prevents closing a stream while nghttp2 still processes it and avoids heap-use-after-free in nghttp2_session_mem_recv2().

Fixes: #64113

@nodejs-github-bot

nodejs-github-bot commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/http2
  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. http2 Issues or PRs related to the http2 subsystem. needs-ci PRs that need a full CI run. labels Jun 27, 2026
@Eusgor Eusgor mentioned this pull request Jun 27, 2026
Open
@mertcanaltin

mertcanaltin commented Jun 27, 2026
edited
Loading

Copy link
Copy Markdown
Member

Can you use "-s" (for Signed-off-by) in first commit command, after run this command
example: git commit --amend --no-edit -s "http2: avoid uaf while receiving and sending rst_stream"

after:
CLANG_FORMAT_START=$(git merge-base HEAD main) make format-cpp for cpp lint errors

@Eusgor
http2: avoid uaf while receiving and sending rst_stream
dec48cc 
Mark the session as receiving around nghttp2_session_mem_recv() and
defer RST_STREAM handling while receive is in progress. This prevents
closing a stream while nghttp2 still processes it and avoids
heap-use-after-free in nghttp2_session_mem_recv2().

Fixes: nodejs#64113
Signed-off-by: Evgeniy Gorbanev <gorbanev.es@gmail.com>
@Eusgor

Eusgor commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Is everything correct now?

RafaelGSS
RafaelGSS reviewed Jun 29, 2026
View reviewed changes

@RafaelGSS RafaelGSS left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a test case or an script that we could reproduce it?

@Eusgor

Eusgor commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

Can you add a test case or an script that we could reproduce it?

The scripts are in the issue #64113
The error is reproduced when using the ASAN sanitizer.

mcollina
mcollina approved these changes Jun 29, 2026
View reviewed changes

@mcollina mcollina left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RafaelGSS RafaelGSS RafaelGSS left review comments
@mcollina mcollina mcollina approved these changes

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. http2 Issues or PRs related to the http2 subsystem. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use-after-free error in http2 server

5 participants

@Eusgor @nodejs-github-bot @mertcanaltin @mcollina @RafaelGSS