Commit 4a6fa4c2 authored by Steve Holme's avatar Steve Holme
Browse files

multi.c: Avoid invalid memory read after free() from commit 3c8c8732 

As the current element in the list is free()d by Curl_llist_remove(),
when the associated connection is pending, reworked the loop to avoid
accessing the next element through e->next afterward.
parent c25cd909

lib/multi.c

+8 −2
Original line number Diff line number Diff line
@@ -2779,17 +2779,23 @@ struct curl_llist *Curl_multi_pipelining_server_bl(struct Curl_multi *multi) 


void Curl_multi_process_pending_handles(struct Curl_multi *multi)

{

  struct curl_llist_element *e;

  struct curl_llist_element *e = multi->pending->head;



  for(e = multi->pending->head; e; e = e->next) {

  while(e) {

    struct SessionHandle *data = e->ptr;

    struct curl_llist_element *next = e->next;



    if(data->mstate == CURLM_STATE_CONNECT_PEND) {

      multistate(data, CURLM_STATE_CONNECT);



      /* Remove this node from the list */

      Curl_llist_remove(multi->pending, e, NULL);



      /* Make sure that the handle will be processed soonish. */

      Curl_expire_latest(data, 1);

    }



    e = next; /* operate on next handle */

  }

}