BUG/MINOR: qpack: fix potential null-pointer dereference in qpack_dht_insert()

When defragmenting the QPACK dynamic header table upfront during an
insertion, qpack_dht_defrag() can fail and return NULL if memory
allocation or re-allocation fails.

However, qpack_dht_insert() was blindly using the returned pointer
without validation, immediately leading to a null-pointer dereference
on 'dht->wrap'.

Fix this by checking if 'dht' is NULL after the defrag call and return
an error (-1).

Note that this has no impact on production yet because the QPACK dynamic
table is currently not enabled/used, so qpack_dht_insert() is never called.

Should be easily backported to all versions.

diff --git a/src/qpack-tbl.c b/src/qpack-tbl.c
index 7c59fd2f7ecc0c1d3e43f9ac1c580b221b9b08e8..e069464f5faccc63bc74638f90b1dbc44c096b7d 100644 (file)
--- a/src/qpack-tbl.c
+++ b/src/qpack-tbl.c
@@ -394,6 +394,9 @@ int qpack_dht_insert(struct qpack_dht *dht, struct ist name, struct ist value)
        else {
                /* need to defragment the table before inserting upfront */
                dht = qpack_dht_defrag(dht);
+               if (!dht)
+                       return -1;
+
                wrap = dht->wrap + 1;
                head = dht->head + 1;
                dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);