From 7b25026418e082ff146b25c2dd1082fe79f780f9 Mon Sep 17 00:00:00 2001 From: jsing Date: Mon, 6 May 2024 14:36:05 +0000 Subject: [PATCH] Guard call to contract() from doall_util_fn(). It is not safe to unconditionally call contract() - when called repeatedly it will shrink the bucket array to zero and then attempt to access that allocation on the next call. Use the same guard that is used in lh_delete(). Issue found when investigating haproxy crashes reported by wizard-it on GitHub. ok tb@ --- lib/libcrypto/lhash/lhash.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/libcrypto/lhash/lhash.c b/lib/libcrypto/lhash/lhash.c index cd69f6fec19..2fb3c4ca59c 100644 --- a/lib/libcrypto/lhash/lhash.c +++ b/lib/libcrypto/lhash/lhash.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lhash.c,v 1.22 2024/03/02 11:11:11 tb Exp $ */ +/* $OpenBSD: lhash.c,v 1.23 2024/05/06 14:36:05 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -294,7 +294,9 @@ doall_util_fn(_LHASH *lh, int use_arg, LHASH_DOALL_FN_TYPE func, /* Restore down load factor and trigger contraction. */ lh->down_load = down_load; - contract(lh); + if ((lh->num_nodes > MIN_NODES) && + (lh->down_load >= (lh->num_items * LH_LOAD_MULT / lh->num_nodes))) + contract(lh); } void -- 2.20.1