multi.c: Avoid invalid memory read after free() from commit 3c8c873252

As the current element in the list is free()d by Curl_llist_remove(), when the associated connection is pending, reworked the loop to avoid accessing the next element through e->next afterward.
author: Steve Holme <steve_holme@hotmail.com> 2014-09-07 07:09:14 +0100
committer: Steve Holme <steve_holme@hotmail.com> 2014-09-07 07:11:14 +0100
commit: 4a6fa4c2047d315536d0d10c776398aed13f2165 (patch)
tree: 71b03f7fc668b93fd809bcf66bb63d9eaca6ebeb
parent: c25cd9094b8be1920c1de68d9384ab9dab185dfb (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/multi.c b/lib/multi.c
index cd99612ca..a1dc2c82c 100644
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -2779,17 +2779,23 @@ struct curl_llist *Curl_multi_pipelining_server_bl(struct Curl_multi *multi)
 
 void Curl_multi_process_pending_handles(struct Curl_multi *multi)
 {
-  struct curl_llist_element *e;
+  struct curl_llist_element *e = multi->pending->head;
 
-  for(e = multi->pending->head; e; e = e->next) {
+  while(e) {
     struct SessionHandle *data = e->ptr;
+    struct curl_llist_element *next = e->next;
+
     if(data->mstate == CURLM_STATE_CONNECT_PEND) {
       multistate(data, CURLM_STATE_CONNECT);
+
       /* Remove this node from the list */
       Curl_llist_remove(multi->pending, e, NULL);
+
       /* Make sure that the handle will be processed soonish. */
       Curl_expire_latest(data, 1);
     }
+
+    e = next; /* operate on next handle */
   }
 }
author	Steve Holme <steve_holme@hotmail.com>	2014-09-07 07:09:14 +0100
committer	Steve Holme <steve_holme@hotmail.com>	2014-09-07 07:11:14 +0100
commit	4a6fa4c2047d315536d0d10c776398aed13f2165 (patch)
tree	71b03f7fc668b93fd809bcf66bb63d9eaca6ebeb
parent	c25cd9094b8be1920c1de68d9384ab9dab185dfb (diff)