From db9af34634e36d34067fff506915dcf7a783a1e2 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 27 Jan 2020 22:50:33 +0100
Subject: multi_done: if multiplexed, make conn->data point to another transfer

... since the current transfer is being killed. Setting to NULL is
wrong, leaving it pointing to 'data' is wrong since that handle might be
about to get freed.

Fixes #4845
Closes #4858
Reported-by: dmitrmax on github
---
 lib/multi.c | 3 +++
 lib/url.c   | 2 ++
 2 files changed, 5 insertions(+)

(limited to 'lib')

diff --git a/lib/multi.c b/lib/multi.c
index b641074d4..6c9d06b0b 100644
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -592,6 +592,9 @@ static CURLcode multi_done(struct Curl_easy *data,
   detach_connnection(data);
   if(CONN_INUSE(conn)) {
     /* Stop if still used. */
+    /* conn->data must not remain pointing to this transfer since it is going
+       away! Find another to own it! */
+    conn->data = conn->easyq.head->ptr;
     CONN_UNLOCK(data);
     DEBUGF(infof(data, "Connection still in use %zu, "
                  "no more multi_done now!\n",
diff --git a/lib/url.c b/lib/url.c
index 689668e04..837e62a09 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1213,6 +1213,8 @@ ConnectionExists(struct Curl_easy *data,
         }
       }
 
+      DEBUGASSERT(!check->data || GOOD_EASY_HANDLE(check->data));
+
       if(!canmultiplex && check->data)
         /* this request can't be multiplexed but the checked connection is
            already in use so we skip it */
-- 
cgit v1.2.3