From: jsing <jsing@openbsd.org>
Date: Mon, 6 May 2024 14:36:05 +0000 (+0000)
Subject: Guard call to contract() from doall_util_fn().
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=7b25026418e082ff146b25c2dd1082fe79f780f9;p=openbsd

Guard call to contract() from doall_util_fn().

It is not safe to unconditionally call contract() - when called repeatedly
it will shrink the bucket array to zero and then attempt to access that
allocation on the next call. Use the same guard that is used in
lh_delete().

Issue found when investigating haproxy crashes reported by wizard-it on
GitHub.

ok tb@
---

diff --git a/lib/libcrypto/lhash/lhash.c b/lib/libcrypto/lhash/lhash.c
index cd69f6fec19..2fb3c4ca59c 100644
--- a/lib/libcrypto/lhash/lhash.c
+++ b/lib/libcrypto/lhash/lhash.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: lhash.c,v 1.22 2024/03/02 11:11:11 tb Exp $ */
+/* $OpenBSD: lhash.c,v 1.23 2024/05/06 14:36:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -294,7 +294,9 @@ doall_util_fn(_LHASH *lh, int use_arg, LHASH_DOALL_FN_TYPE func,
 
 	/* Restore down load factor and trigger contraction. */
 	lh->down_load = down_load;
-	contract(lh);
+	if ((lh->num_nodes > MIN_NODES) &&
+	    (lh->down_load >= (lh->num_items * LH_LOAD_MULT / lh->num_nodes)))
+		contract(lh);
 }
 
 void