http2, tls: check content-length, fix RST and GOAWAY logic

benchmark/http2/headers.js

@@ -45,7 +45,7 @@ function main({ n, nheaders }) {
         } else {
           bench.end(n);
           server.close();
-          client.destroy();
+          client.close();
         }
       });
     }

deps/nghttp2/lib/nghttp2_session.c

@@ -1485,6 +1485,11 @@ int nghttp2_session_close_stream(nghttp2_session *session, int32_t stream_id,
 
   DEBUGF("stream: stream(%p)=%d close\n", stream, stream->stream_id);
 
+  if (error_code == NGHTTP2_NO_ERROR &&
+      nghttp2_http_on_remote_end_stream(stream) == -1) {
+    error_code = NGHTTP2_PROTOCOL_ERROR;
+  }
+
   /* We call on_stream_close_callback even if stream->state is
      NGHTTP2_STREAM_INITIAL. This will happen while sending request
      HEADERS, a local endpoint receives RST_STREAM for that stream. It
@@ -2516,9 +2521,6 @@ static int session_prep_frame(nghttp2_session *session,
     return 0;
   }
   case NGHTTP2_RST_STREAM:
-    if (session_is_closing(session)) {
-      return NGHTTP2_ERR_SESSION_CLOSING;
-    }
     nghttp2_frame_pack_rst_stream(&session->aob.framebufs, &frame->rst_stream);
     return 0;
   case NGHTTP2_SETTINGS: {
@@ -4181,6 +4183,11 @@ static int session_after_header_block_received(nghttp2_session *session) {
     return 0;
   }
 
+  /* on_frame might free the stream */
+  if (!nghttp2_session_get_stream(session, frame->hd.stream_id)) {
+    return 0;
+  }
+
   return session_end_stream_headers_received(session, frame, stream);
 }
 

deps/nghttp2/patches/0000-content-length.patch

@@ -0,0 +1,29 @@
+From 92c120c0ba2ed5806960f8ec9a338fefc17b0427 Mon Sep 17 00:00:00 2001
+From: Gil Pedersen <[email protected]>
+Date: Tue, 15 Sep 2020 12:36:34 +0000
+Subject: [PATCH] Check content-length before calling stream_close_callback
+ with error code 0
+
+---
+ deps/nghttp2/lib/nghttp2_session.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
+index 004a4dff..008f9d34 100644
+--- a/deps/nghttp2/lib/nghttp2_session.c
++++ b/deps/nghttp2/lib/nghttp2_session.c
+@@ -1485,6 +1485,11 @@ int nghttp2_session_close_stream(nghttp2_session *session, int32_t stream_id,
+
+   DEBUGF("stream: stream(%p)=%d close\n", stream, stream->stream_id);
+
++  if (error_code == NGHTTP2_NO_ERROR &&
++      nghttp2_http_on_remote_end_stream(stream) == -1) {
++    error_code = NGHTTP2_PROTOCOL_ERROR;
++  }
++
+   /* We call on_stream_close_callback even if stream->state is
+      NGHTTP2_STREAM_INITIAL. This will happen while sending request
+      HEADERS, a local endpoint receives RST_STREAM for that stream. It
+-- 
+2.40.1
+

deps/nghttp2/patches/0001-check-stream-free-after-header-received.patch

@@ -0,0 +1,29 @@
+From 9581880841f5afa00075eb6089389c03015334ce Mon Sep 17 00:00:00 2001
+From: Szymon Marczak <[email protected]>
+Date: Fri, 4 Oct 2024 08:08:15 +0200
+Subject: [PATCH] Check if session_call_on_frame_received frees the stream in
+ session_after_header_block_received
+
+---
+ deps/nghttp2/lib/nghttp2_session.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
+index 08efaf0f8e..8b818c30a2 100644
+--- a/deps/nghttp2/lib/nghttp2_session.c
++++ b/deps/nghttp2/lib/nghttp2_session.c
+@@ -4186,6 +4186,11 @@ static int session_after_header_block_received(nghttp2_session *session) {
+     return 0;
+   }
+
++  /* on_frame might free the stream */
++  if (!nghttp2_session_get_stream(session, frame->hd.stream_id)) {
++    return 0;
++  }
++
+   return session_end_stream_headers_received(session, frame, stream);
+ }
+
+-- 
+2.46.2
+

deps/nghttp2/patches/0002-rst-before-goaway.patch

@@ -0,0 +1,26 @@
+From a990ac8598241f939ca41bf7a7c53c40094663bf Mon Sep 17 00:00:00 2001
+From: Szymon Marczak <[email protected]>
+Date: Fri, 4 Oct 2024 11:52:30 +0200
+Subject: [PATCH] Allow RST_STREAM before GOAWAY
+
+---
+ deps/nghttp2/lib/nghttp2_session.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
+index 8b818c30a2..67d8b08d36 100644
+--- a/deps/nghttp2/lib/nghttp2_session.c
++++ b/deps/nghttp2/lib/nghttp2_session.c
+@@ -2521,9 +2521,6 @@ static int session_prep_frame(nghttp2_session *session,
+     return 0;
+   }
+   case NGHTTP2_RST_STREAM:
+-    if (session_is_closing(session)) {
+-      return NGHTTP2_ERR_SESSION_CLOSING;
+-    }
+     nghttp2_frame_pack_rst_stream(&session->aob.framebufs, &frame->rst_stream);
+     return 0;
+   case NGHTTP2_SETTINGS: {
+-- 
+2.46.2
+

doc/api/http2.md

@@ -507,7 +507,7 @@ added: v8.4.0
   due to an error.
 * `code` {number} The HTTP/2 error code to send in the final `GOAWAY` frame.
   If unspecified, and `error` is not undefined, the default is `INTERNAL_ERROR`,
-  otherwise defaults to `NO_ERROR`.
+  otherwise defaults to `CANCEL`.
 
 Immediately terminates the `Http2Session` and the associated `net.Socket` or
 `tls.TLSSocket`.

lib/_tls_wrap.js

@@ -810,6 +810,10 @@ TLSSocket.prototype._init = function(socket, wrap) {
   const ssl = this._handle;
   this.server = options.server;
 
+  // Required for Socket.prototype._destroy check
+  // to emit 'close' server event
+  this._server = options.server;
+
   debug('%s _init',
         options.isServer ? 'server' : 'client',
         'handle?', !!ssl,