From 9a6d1fe3f00d86ab4ea6ea6ea0a5d48fc058a513 Mon Sep 17 00:00:00 2001 From: Tristan Madani Date: Tue, 16 Jun 2026 10:42:10 +0200 Subject: [PATCH] BUG/MINOR: hpack-tbl: add missing NULL check after hpack_dht_defrag() hpack_dht_insert() has three call sites for hpack_dht_defrag(). Two of them (lines 293 and 306) correctly check for a NULL return and bail out with -1. The third (line 353, data-space defrag path) assigns the return value to dht and immediately dereferences it without a NULL check. When pool_head_hpack_tbl is exhausted, hpack_dht_alloc() returns NULL, hpack_dht_defrag() propagates it, and line 354 dereferences NULL+0x0a (offsetof wrap), crashing the worker with SIGSEGV. Add a NULL check consistent with the two other call sites. This must be backported to all stable versions. Reported-by: Tristan (@TristanInSec) --- src/hpack-tbl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c index 990d2f7dd..92a6f4435 100644 --- a/src/hpack-tbl.c +++ b/src/hpack-tbl.c @@ -351,6 +351,8 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value) else { /* need to defragment the table before inserting upfront */ dht = hpack_dht_defrag(dht); + if (!dht) + return -1; wrap = dht->wrap + 1; head = dht->head + 1; dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);