After having a Teeworlds mastersrv running for a week now which wasn't very stable and already crashed on me the first day I have now fixed the issue after waiting for about one week for it to crash again; this time with gdb attached. After many hours of digging through the source code (and matricks pointing out the fix which he already had on the main mastersrv but not shared in the repository) I found that the packet that caused the NULL-pointer access was not one of those the mastersrv usually takes. Instead of a normal, connectionless packet it had the compression flag set instead of the connectionless one which caused the network code to decompress it. But since the mastersrv does not deal with any compressed data the Huffman look up table is not initialized and thus full of NULL-pointers. The problem was fixed with a simple »if(!pNode) return -1;«.
Code injection wasn't possible at any time also the client and server were not affected since they initialize the Huffman class.