From: Alexandr Nedvedicky <sashan@openssl.org>
Date: Wed, 11 Mar 2026 13:12:29 +0000 (+0100)
Subject: QUIC stack must disable hash table contraction before doing
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f65bcab102872dba0c7e9f5d08a3fdcedfeed200;p=thirdparty%2Fopenssl.git

QUIC stack must disable hash table contraction before doing
lh_TYPE_doall(lh, lh_TYPE_delete). Not doing so may dereference
dead memory when traversing to next item in hash table.

One has to call lh_TYPE_set_down_load(lh, 0) to disable hash
table contraction when table is being destroyed during the
_doall() traversal.

call lh_TYPE_set_down_load(lh, 0) before doing
lh_TYPE_daall() with lh_TYPE_delete(). This disables

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Mar 18 17:26:44 2026
(Merged from https://github.com/openssl/openssl/pull/30371)
---

diff --git a/ssl/quic/quic_srtm.c b/ssl/quic/quic_srtm.c
index 405376fc465..9de35ecaf7c 100644
--- a/ssl/quic/quic_srtm.c
+++ b/ssl/quic/quic_srtm.c
@@ -168,6 +168,11 @@ void ossl_quic_srtm_free(QUIC_SRTM *srtm)
 
     lh_SRTM_ITEM_free(srtm->items_rev);
     if (srtm->items_fwd != NULL) {
+        /*
+         * We don't need to call lh_SRTM_ITEM_set_set_down(..., 0)
+         * here because srtm_free_each() callback for _doall() does
+         * not call to lh_SRTIM_ITEM_delete().
+         */
         lh_SRTM_ITEM_doall(srtm->items_fwd, srtm_free_each);
         lh_SRTM_ITEM_free(srtm->items_fwd);
     }
diff --git a/ssl/quic/quic_stream_map.c b/ssl/quic/quic_stream_map.c
index 826d387c2e0..6f516e9cc89 100644
--- a/ssl/quic/quic_stream_map.c
+++ b/ssl/quic/quic_stream_map.c
@@ -123,6 +123,7 @@ static void release_each(QUIC_STREAM *stream, void *arg)
 
 void ossl_quic_stream_map_cleanup(QUIC_STREAM_MAP *qsm)
 {
+    lh_QUIC_STREAM_set_down_load(qsm->map, 0);
     ossl_quic_stream_map_visit(qsm, release_each, qsm);
 
     lh_QUIC_STREAM_free(qsm->map);