From e9bb7b771287026596d03b75c3767a64b0cf3952 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 21 Feb 2008 17:52:16 +0000
Subject: - Zmey Petroff found a crash when libcurl accessed a NULL pointer,
 which   happened if you set the connection cache size to 1 and for example
 failed to   login to an FTP site. Bug report #1896698  
 (http://curl.haxx.se/bug/view.cgi?id=1896698)

---
 CHANGES        | 6 ++++++
 RELEASE-NOTES  | 3 ++-
 lib/transfer.c | 8 ++++++--
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index d66e23ac9..95cb39cf4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,12 @@
 
                                   Changelog
 
+Daniel S (21 Feb 2008)
+- Zmey Petroff found a crash when libcurl accessed a NULL pointer, which
+  happened if you set the connection cache size to 1 and for example failed to
+  login to an FTP site. Bug report #1896698
+  (http://curl.haxx.se/bug/view.cgi?id=1896698)
+
 Daniel S (20 Feb 2008)
 - Fixed test case 405 to not fail when libcurl is built with GnuTLS
 
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 4993be1fd..5b3ed07c1 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -29,6 +29,7 @@ This release includes the following bugfixes:
    a transfer going on, the connection is now closed by force
  o bad re-use of SSL connections in non-complete state
  o test case 405 failures with GnuTLS builds
+ o crash when connection cache size is 1 and Curl_do() failed
 
 This release includes the following known bugs:
 
@@ -47,6 +48,6 @@ advice from friends like these:
 
  Michal Marek, Dmitry Kurochkin, Niklas Angebrand, Günter Knauf, Yang Tse,
  Dan Fandrich, Mike Hommey, Pooyan McSporran, Jerome Muffat-Meridol,
- Kaspar Brand, Gautam Kachroo
+ Kaspar Brand, Gautam Kachroo, Zmey Petroff
 
         Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/transfer.c b/lib/transfer.c
index 86dcfe24f..6288cec44 100644
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -2389,8 +2389,12 @@ CURLcode Curl_perform(struct SessionHandle *data)
         if(CURLE_OK == res)
           res = res2;
       }
-      else
-        /* Curl_do() failed, clean up left-overs in the done-call */
+      else if(conn)
+        /* Curl_do() failed, clean up left-overs in the done-call, but note
+           that at some cases the conn pointer is NULL when Curl_do() failed
+           and the connection cache is very small so only call Curl_done() if
+           conn is still "alive".
+        */
         res2 = Curl_done(&conn, res, FALSE);
 
       /*
-- 
cgit v1.2.3