QUIC stack must disable hash table contraction before doing

lh_TYPE_doall(lh, lh_TYPE_delete). Not doing so may dereference
dead memory when traversing to next item in hash table.

One has to call lh_TYPE_set_down_load(lh, 0) to disable hash
table contraction when table is being destroyed during the
_doall() traversal.

call lh_TYPE_set_down_load(lh, 0) before doing
lh_TYPE_daall() with lh_TYPE_delete(). This disables

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Mar 18 17:26:44 2026
(Merged from https://github.com/openssl/openssl/pull/30371)

diff --git a/ssl/quic/quic_srtm.c b/ssl/quic/quic_srtm.c
index 405376fc465d63ddaeabe0dfcdb6e33887de97c9..9de35ecaf7ca250712331139ca411a2c53aa2c77 100644 (file)
--- a/ssl/quic/quic_srtm.c
+++ b/ssl/quic/quic_srtm.c
@@ -168,6 +168,11 @@ void ossl_quic_srtm_free(QUIC_SRTM *srtm)
 
     lh_SRTM_ITEM_free(srtm->items_rev);
     if (srtm->items_fwd != NULL) {
+        /*
+         * We don't need to call lh_SRTM_ITEM_set_set_down(..., 0)
+         * here because srtm_free_each() callback for _doall() does
+         * not call to lh_SRTIM_ITEM_delete().
+         */
         lh_SRTM_ITEM_doall(srtm->items_fwd, srtm_free_each);
         lh_SRTM_ITEM_free(srtm->items_fwd);
     }

diff --git a/ssl/quic/quic_stream_map.c b/ssl/quic/quic_stream_map.c
index 826d387c2e0e09e81706f4af0f7c0613c1c54565..6f516e9cc89b8d097688b99ddd51710b9cd11cf3 100644 (file)
--- a/ssl/quic/quic_stream_map.c
+++ b/ssl/quic/quic_stream_map.c
@@ -123,6 +123,7 @@ static void release_each(QUIC_STREAM *stream, void *arg)
 
 void ossl_quic_stream_map_cleanup(QUIC_STREAM_MAP *qsm)
 {
+    lh_QUIC_STREAM_set_down_load(qsm->map, 0);
     ossl_quic_stream_map_visit(qsm, release_each, qsm);
 
     lh_QUIC_STREAM_free(qsm->map);