Fix fuzzing detected failure

If both :authority and host appear in client initial headers, we either leak (in opt builds) or crash (in dbg).
author: Craig Tiller <ctiller@google.com> 2017-01-30 08:17:38 -0800
committer: Craig Tiller <ctiller@google.com> 2017-01-30 08:17:38 -0800
commit: fa6a71d6e560851d84e35cdaee17b06818a5acc8 (patch)
tree: f8f8aaa92d1e9de2e801dbf89ac83327c3833852 /src/core/lib/transport/metadata_batch.c
parent: fd0e2152b76793d937ebeea277eb8e0c23176de6 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/core/lib/transport/metadata_batch.c b/src/core/lib/transport/metadata_batch.c
index 95b71d33d7..fc2c52bd8a 100644
--- a/src/core/lib/transport/metadata_batch.c
+++ b/src/core/lib/transport/metadata_batch.c
@@ -258,16 +258,22 @@ grpc_error *grpc_metadata_batch_substitute(grpc_exec_ctx *exec_ctx,
                                            grpc_metadata_batch *batch,
                                            grpc_linked_mdelem *storage,
                                            grpc_mdelem new) {
+  assert_valid_callouts(exec_ctx, batch);
   grpc_error *error = GRPC_ERROR_NONE;
   grpc_mdelem old = storage->md;
   if (!grpc_slice_eq(GRPC_MDKEY(new), GRPC_MDKEY(old))) {
     maybe_unlink_callout(batch, storage);
     storage->md = new;
     error = maybe_link_callout(batch, storage);
+    if (error != GRPC_ERROR_NONE) {
+      unlink_storage(&batch->list, storage);
+      GRPC_MDELEM_UNREF(exec_ctx, storage->md);
+    }
   } else {
     storage->md = new;
   }
   GRPC_MDELEM_UNREF(exec_ctx, old);
+  assert_valid_callouts(exec_ctx, batch);
   return error;
 }
author	Craig Tiller <ctiller@google.com>	2017-01-30 08:17:38 -0800
committer	Craig Tiller <ctiller@google.com>	2017-01-30 08:17:38 -0800
commit	fa6a71d6e560851d84e35cdaee17b06818a5acc8 (patch)
tree	f8f8aaa92d1e9de2e801dbf89ac83327c3833852 /src/core/lib/transport/metadata_batch.c
parent	fd0e2152b76793d937ebeea277eb8e0c23176de6 (diff)