From 1d71ce845a6ac3887205c2842fad0a476f7cf3ec Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 26 Apr 2018 16:07:10 +0200 Subject: http2: fix null pointer dereference in http2_connisdead This function can get called on a connection that isn't setup enough to have the 'recv_underlying' function pointer initialized so it would try to call the NULL pointer. Reported-by: Dario Weisser Follow-up to db1b2c7fe9b093f8 (never shipped in a release) Closes #2536 --- lib/http2.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/http2.c b/lib/http2.c index 25d74c1a1..770ebdab5 100644 --- a/lib/http2.c +++ b/lib/http2.c @@ -202,8 +202,11 @@ static bool http2_connisdead(struct connectdata *conn) only "protocol frames" */ CURLcode result; struct http_conn *httpc = &conn->proto.httpc; - ssize_t nread = ((Curl_recv *)httpc->recv_underlying)( - conn, FIRSTSOCKET, httpc->inbuf, H2_BUFSIZE, &result); + ssize_t nread = -1; + if(httpc->recv_underlying) + /* if called "too early", this pointer isn't setup yet! */ + nread = ((Curl_recv *)httpc->recv_underlying)( + conn, FIRSTSOCKET, httpc->inbuf, H2_BUFSIZE, &result); if(nread != -1) { infof(conn->data, "%d bytes stray data read before trying h2 connection\n", -- cgit v1.2.3