upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-05-27 20:02:17 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 16

BUG/MINOR: qpack: fix potential null-pointer dereference in qpack_dht_insert()

Browse source 
When defragmenting the QPACK dynamic header table upfront during an
insertion, qpack_dht_defrag() can fail and return NULL if memory
allocation or re-allocation fails.

However, qpack_dht_insert() was blindly using the returned pointer
without validation, immediately leading to a null-pointer dereference
on 'dht->wrap'.

Fix this by checking if 'dht' is NULL after the defrag call and return
an error (-1).

Note that this has no impact on production yet because the QPACK dynamic
table is currently not enabled/used, so qpack_dht_insert() is never called.

Should be easily backported to all versions.
This commit is contained in:
Frederic Lecaille 2026-05-27 15:00:30 +02:00
parent 40313cd0d5
commit 2f20eb5bd8
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/qpack-tbl.c
View file

@ -394,6 +394,9 @@ int qpack_dht_insert(struct qpack_dht *dht, struct ist name, struct ist value)
else {
/* need to defragment the table before inserting upfront */
dht = qpack_dht_defrag(dht);
if (!dht)
return -1;
wrap = dht->wrap + 1;
head = dht->head + 1;
dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);