From: Frederic Lecaille <flecaille@haproxy.com>
Date: Wed, 27 May 2026 13:00:30 +0000 (+0200)
Subject: BUG/MINOR: qpack: fix potential null-pointer dereference in qpack_dht_insert()
X-Git-Tag: v3.4.0~83
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=2f20eb5bd8d9989b37119666935bb27285acf77e;p=thirdparty%2Fhaproxy.git

BUG/MINOR: qpack: fix potential null-pointer dereference in qpack_dht_insert()

When defragmenting the QPACK dynamic header table upfront during an
insertion, qpack_dht_defrag() can fail and return NULL if memory
allocation or re-allocation fails.

However, qpack_dht_insert() was blindly using the returned pointer
without validation, immediately leading to a null-pointer dereference
on 'dht->wrap'.

Fix this by checking if 'dht' is NULL after the defrag call and return
an error (-1).

Note that this has no impact on production yet because the QPACK dynamic
table is currently not enabled/used, so qpack_dht_insert() is never called.

Should be easily backported to all versions.
---

diff --git a/src/qpack-tbl.c b/src/qpack-tbl.c
index 7c59fd2f7..e069464f5 100644
--- a/src/qpack-tbl.c
+++ b/src/qpack-tbl.c
@@ -394,6 +394,9 @@ int qpack_dht_insert(struct qpack_dht *dht, struct ist name, struct ist value)
 	else {
 		/* need to defragment the table before inserting upfront */
 		dht = qpack_dht_defrag(dht);
+		if (!dht)
+			return -1;
+
 		wrap = dht->wrap + 1;
 		head = dht->head + 1;
 		dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);