From 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Wed, 18 Feb 2026 18:04:30 +0900
Subject: [PATCH] Fix missing iframe->state validations to avoid assertion
 failure

---
 lib/nghttp2_session.c | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

Index: nghttp2-1.64.0/lib/nghttp2_session.c
===================================================================
--- nghttp2-1.64.0.orig/lib/nghttp2_session.c
+++ nghttp2-1.64.0/lib/nghttp2_session.c
@@ -6063,6 +6063,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(
           return rv;
         }
 
+        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+          return (nghttp2_ssize)inlen;
+        }
+
         on_begin_frame_called = 1;
 
         rv = session_process_headers_frame(session);
@@ -6429,6 +6433,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(
           if (nghttp2_is_fatal(rv)) {
             return rv;
           }
+
+          if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+            return (nghttp2_ssize)inlen;
+          }
         }
       }
 
@@ -6684,6 +6692,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(
           return rv;
         }
 
+        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+          return (nghttp2_ssize)inlen;
+        }
+
         session_inbound_frame_reset(session);
 
         break;
@@ -6986,6 +6998,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(
         if (nghttp2_is_fatal(rv)) {
           return rv;
         }
+
+        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+          return (nghttp2_ssize)inlen;
+        }
       } else {
         iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK;
       }
@@ -7151,6 +7167,11 @@ nghttp2_ssize nghttp2_session_mem_recv2(
             rv = session->callbacks.on_data_chunk_recv_callback(
               session, iframe->frame.hd.flags, iframe->frame.hd.stream_id,
               in - readlen, (size_t)data_readlen, session->user_data);
+
+            if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+              return (nghttp2_ssize)inlen;
+            }
+
             if (rv == NGHTTP2_ERR_PAUSE) {
               return (nghttp2_ssize)(in - first);
             }
@@ -7237,6 +7258,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(
           return rv;
         }
 
+        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+          return (nghttp2_ssize)inlen;
+        }
+
         if (rv != 0) {
           busy = 1;
 
@@ -7255,6 +7280,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(
         return rv;
       }
 
+      if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+        return (nghttp2_ssize)inlen;
+      }
+
       session_inbound_frame_reset(session);
 
       break;
@@ -7283,6 +7312,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(
         return rv;
       }
 
+      if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+        return (nghttp2_ssize)inlen;
+      }
+
       session_inbound_frame_reset(session);
 
       break;