http2: fixup http2stream cleanup and other nits

This fixes CVE-2018-7161.

PR-URL: https://github.com/nodejs-private/node-private/pull/122
Reviewed-By: Evan Lucas <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>

Author: jasnell

src/node_http2.cc

@@ -500,6 +500,8 @@ Http2Session::Http2Session(Environment* env,
 Http2Session::~Http2Session() {
   CHECK_EQ(flags_ & SESSION_STATE_HAS_SCOPE, 0);
   DEBUG_HTTP2SESSION(this, "freeing nghttp2 session");
+  for (const auto& iter : streams_)
+    iter.second->session_ = nullptr;
   nghttp2_session_del(session_);
 }
 
@@ -643,6 +645,8 @@ inline void Http2Session::AddStream(Http2Stream* stream) {
 
 
 inline void Http2Session::RemoveStream(Http2Stream* stream) {
+  if (streams_.empty() || stream == nullptr)
+    return;  // Nothing to remove, item was never added?
   streams_.erase(stream->id());
   DecrementCurrentSessionMemory(stream->self_size());
 }
@@ -1697,8 +1701,8 @@ Http2Stream::Http2Stream(
 
 
 Http2Stream::~Http2Stream() {
-  DEBUG_HTTP2STREAM(this, "tearing down stream");
   if (session_ != nullptr) {
+    DEBUG_HTTP2STREAM(this, "tearing down stream");
     session_->RemoveStream(this);
     session_ = nullptr;
   }

src/node_http2.h

@@ -721,8 +721,8 @@ class Http2Stream : public AsyncWrap,
   Statistics statistics_ = {};
 
  private:
-  Http2Session* session_;                       // The Parent HTTP/2 Session
-  int32_t id_;                                  // The Stream Identifier
+  Http2Session* session_ = nullptr;             // The Parent HTTP/2 Session
+  int32_t id_ = 0;                              // The Stream Identifier
   int32_t code_ = NGHTTP2_NO_ERROR;             // The RST_STREAM code (if any)
   int flags_ = NGHTTP2_STREAM_FLAG_NONE;        // Internal state flags