upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-06-17 21:40:13 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

BUG/MINOR: hpack-tbl: add missing NULL check after hpack_dht_defrag()

Browse source 
hpack_dht_insert() has three call sites for hpack_dht_defrag(). Two of
them (lines 293 and 306) correctly check for a NULL return and bail out
with -1. The third (line 353, data-space defrag path) assigns the return
value to dht and immediately dereferences it without a NULL check.

When pool_head_hpack_tbl is exhausted, hpack_dht_alloc() returns NULL,
hpack_dht_defrag() propagates it, and line 354 dereferences NULL+0x0a
(offsetof wrap), crashing the worker with SIGSEGV.

Add a NULL check consistent with the two other call sites.

This must be backported to all stable versions.

Reported-by: Tristan (@TristanInSec)
This commit is contained in:
Tristan Madani 2026-06-16 10:42:10 +02:00 committed by Amaury Denoyelle
parent 8e1c51378e
commit 9a6d1fe3f0
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/hpack-tbl.c
View file

@ -351,6 +351,8 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value)
else {
/* need to defragment the table before inserting upfront */
dht = hpack_dht_defrag(dht);
if (!dht)
return -1;
wrap = dht->wrap + 1;
head = dht->head + 1;
dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);