From 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Wed, 18 Feb 2026 18:04:30 +0900
Subject: [PATCH] Fix missing iframe->state validations to avoid assertion
 failure

---
 lib/nghttp2_session.c | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

Index: nghttp2-1.40.0/lib/nghttp2_session.c
===================================================================
--- nghttp2-1.40.0.orig/lib/nghttp2_session.c
+++ nghttp2-1.40.0/lib/nghttp2_session.c
@@ -5630,6 +5630,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2
           return rv;
         }
 
+        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+          return (ssize_t)inlen;
+        }
+
         on_begin_frame_called = 1;
 
         rv = session_process_headers_frame(session);
@@ -5953,6 +5957,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2
           if (nghttp2_is_fatal(rv)) {
             return rv;
           }
+
+          if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+            return (ssize_t)inlen;
+          }
         }
       }
 
@@ -6164,6 +6172,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2
           return (ssize_t)inlen;
         }
 
+        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+          return (ssize_t)inlen;
+        }
+
         session_inbound_frame_reset(session);
 
         break;
@@ -6496,6 +6508,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2
         if (nghttp2_is_fatal(rv)) {
           return rv;
         }
+
+        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+          return (ssize_t)inlen;
+        }
       } else {
         iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK;
       }
@@ -6660,6 +6676,11 @@ ssize_t nghttp2_session_mem_recv(nghttp2
             rv = session->callbacks.on_data_chunk_recv_callback(
                 session, iframe->frame.hd.flags, iframe->frame.hd.stream_id,
                 in - readlen, (size_t)data_readlen, session->user_data);
+
+            if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+              return (ssize_t)inlen;
+            }
+
             if (rv == NGHTTP2_ERR_PAUSE) {
               return in - first;
             }
@@ -6746,6 +6767,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2
           return rv;
         }
 
+        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+          return (ssize_t)inlen;
+        }
+
         if (rv != 0) {
           busy = 1;
 
@@ -6764,6 +6789,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2
         return rv;
       }
 
+      if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+        return (ssize_t)inlen;
+      }
+
       session_inbound_frame_reset(session);
 
       break;
@@ -6792,6 +6821,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2
         return rv;
       }
 
+      if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+        return (ssize_t)inlen;
+      }
+
       session_inbound_frame_reset(session);
 
       break;