aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteve Holme <steve_holme@hotmail.com>2014-09-07 07:09:14 +0100
committerSteve Holme <steve_holme@hotmail.com>2014-09-07 07:11:14 +0100
commit4a6fa4c2047d315536d0d10c776398aed13f2165 (patch)
tree71b03f7fc668b93fd809bcf66bb63d9eaca6ebeb
parentc25cd9094b8be1920c1de68d9384ab9dab185dfb (diff)
multi.c: Avoid invalid memory read after free() from commit 3c8c873252
As the current element in the list is free()d by Curl_llist_remove(), when the associated connection is pending, reworked the loop to avoid accessing the next element through e->next afterward.
-rw-r--r--lib/multi.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/multi.c b/lib/multi.c
index cd99612ca..a1dc2c82c 100644
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -2779,17 +2779,23 @@ struct curl_llist *Curl_multi_pipelining_server_bl(struct Curl_multi *multi)
void Curl_multi_process_pending_handles(struct Curl_multi *multi)
{
- struct curl_llist_element *e;
+ struct curl_llist_element *e = multi->pending->head;
- for(e = multi->pending->head; e; e = e->next) {
+ while(e) {
struct SessionHandle *data = e->ptr;
+ struct curl_llist_element *next = e->next;
+
if(data->mstate == CURLM_STATE_CONNECT_PEND) {
multistate(data, CURLM_STATE_CONNECT);
+
/* Remove this node from the list */
Curl_llist_remove(multi->pending, e, NULL);
+
/* Make sure that the handle will be processed soonish. */
Curl_expire_latest(data, 1);
}
+
+ e = next; /* operate on next handle */
}
}