BUG/MINOR: hpack-tbl: add missing NULL check after hpack_dht_defrag()

hpack_dht_insert() has three call sites for hpack_dht_defrag(). Two of
them (lines 293 and 306) correctly check for a NULL return and bail out
with -1. The third (line 353, data-space defrag path) assigns the return
value to dht and immediately dereferences it without a NULL check.

When pool_head_hpack_tbl is exhausted, hpack_dht_alloc() returns NULL,
hpack_dht_defrag() propagates it, and line 354 dereferences NULL+0x0a
(offsetof wrap), crashing the worker with SIGSEGV.

Add a NULL check consistent with the two other call sites.

This must be backported to all stable versions.

Reported-by: Tristan (@TristanInSec)

diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c
index 990d2f7ddf9346ecf5bbbbdd1ed51d9c837e3ec7..92a6f4435510946983b0164640949b7f3aab6298 100644 (file)
--- a/src/hpack-tbl.c
+++ b/src/hpack-tbl.c
@@ -351,6 +351,8 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value)
        else {
                /* need to defragment the table before inserting upfront */
                dht = hpack_dht_defrag(dht);
+               if (!dht)
+                       return -1;
                wrap = dht->wrap + 1;
                head = dht->head + 1;
                dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);