From 83373e2f7f6a3acfd2a6b3a44274e822c61206a3 Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Fri, 10 Aug 2018 15:07:51 -0700
Subject: [PATCH] http2: avoid race condition in OnHeaderCallback

Fixes: https://github.com/nodejs/node/issues/21416

PR-URL: https://github.com/nodejs/node/pull/22256
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: George Adams <george.adams@uk.ibm.com>
---
 src/node_http2.cc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/node_http2.cc b/src/node_http2.cc
index d1319c9d82fd97..e741120f5034d5 100644
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -881,7 +881,12 @@ int Http2Session::OnHeaderCallback(nghttp2_session* handle,
   Http2Session* session = static_cast<Http2Session*>(user_data);
   int32_t id = GetFrameID(frame);
   Http2Stream* stream = session->FindStream(id);
-  CHECK_NOT_NULL(stream);
+  // If stream is null at this point, either something odd has happened
+  // or the stream was closed locally while header processing was occurring.
+  // either way, do not proceed and close the stream.
+  if (stream == nullptr)
+    return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+
   // If the stream has already been destroyed, ignore.
   if (!stream->IsDestroyed() && !stream->AddHeader(name, value, flags)) {
     // This will only happen if the connected peer sends us more