Commit f65bcab102 for openssl.org

commit f65bcab102872dba0c7e9f5d08a3fdcedfeed200
Author: Alexandr Nedvedicky <sashan@openssl.org>
Date:   Wed Mar 11 14:12:29 2026 +0100

    QUIC stack must disable hash table contraction before doing
    lh_TYPE_doall(lh, lh_TYPE_delete). Not doing so may dereference
    dead memory when traversing to next item in hash table.

    One has to call lh_TYPE_set_down_load(lh, 0) to disable hash
    table contraction when table is being destroyed during the
    _doall() traversal.

    call lh_TYPE_set_down_load(lh, 0) before doing
    lh_TYPE_daall() with lh_TYPE_delete(). This disables

    Reviewed-by: Neil Horman <nhorman@openssl.org>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    MergeDate: Wed Mar 18 17:26:44 2026
    (Merged from https://github.com/openssl/openssl/pull/30371)

diff --git a/ssl/quic/quic_srtm.c b/ssl/quic/quic_srtm.c
index 405376fc46..9de35ecaf7 100644
--- a/ssl/quic/quic_srtm.c
+++ b/ssl/quic/quic_srtm.c
@@ -168,6 +168,11 @@ void ossl_quic_srtm_free(QUIC_SRTM *srtm)

     lh_SRTM_ITEM_free(srtm->items_rev);
     if (srtm->items_fwd != NULL) {
+        /*
+         * We don't need to call lh_SRTM_ITEM_set_set_down(..., 0)
+         * here because srtm_free_each() callback for _doall() does
+         * not call to lh_SRTIM_ITEM_delete().
+         */
         lh_SRTM_ITEM_doall(srtm->items_fwd, srtm_free_each);
         lh_SRTM_ITEM_free(srtm->items_fwd);
     }
diff --git a/ssl/quic/quic_stream_map.c b/ssl/quic/quic_stream_map.c
index 826d387c2e..6f516e9cc8 100644
--- a/ssl/quic/quic_stream_map.c
+++ b/ssl/quic/quic_stream_map.c
@@ -123,6 +123,7 @@ static void release_each(QUIC_STREAM *stream, void *arg)

 void ossl_quic_stream_map_cleanup(QUIC_STREAM_MAP *qsm)
 {
+    lh_QUIC_STREAM_set_down_load(qsm->map, 0);
     ossl_quic_stream_map_visit(qsm, release_each, qsm);

     lh_QUIC_STREAM_free(qsm->map);