From 2f20eb5bd8d9989b37119666935bb27285acf77e Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Wed, 27 May 2026 15:00:30 +0200 Subject: [PATCH] BUG/MINOR: qpack: fix potential null-pointer dereference in qpack_dht_insert() When defragmenting the QPACK dynamic header table upfront during an insertion, qpack_dht_defrag() can fail and return NULL if memory allocation or re-allocation fails. However, qpack_dht_insert() was blindly using the returned pointer without validation, immediately leading to a null-pointer dereference on 'dht->wrap'. Fix this by checking if 'dht' is NULL after the defrag call and return an error (-1). Note that this has no impact on production yet because the QPACK dynamic table is currently not enabled/used, so qpack_dht_insert() is never called. Should be easily backported to all versions. --- src/qpack-tbl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/qpack-tbl.c b/src/qpack-tbl.c index 7c59fd2f7..e069464f5 100644 --- a/src/qpack-tbl.c +++ b/src/qpack-tbl.c @@ -394,6 +394,9 @@ int qpack_dht_insert(struct qpack_dht *dht, struct ist name, struct ist value) else { /* need to defragment the table before inserting upfront */ dht = qpack_dht_defrag(dht); + if (!dht) + return -1; + wrap = dht->wrap + 1; head = dht->head + 1; dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);