multi_done: if multiplexed, make conn->data point to another transfer

... since the current transfer is being killed. Setting to NULL is wrong, leaving it pointing to 'data' is wrong since that handle might be about to get freed. Fixes #4845 Closes #4858 Reported-by: dmitrmax on github
2020-01-27 22:50:33 +01:00 · 2020-01-27 22:50:33 +01:00 · db9af34634
parent 8b7fff3311
commit db9af34634
2 changed files with 5 additions and 0 deletions
--- a/lib/multi.c
+++ b/lib/multi.c
@ -592,6 +592,9 @@ static CURLcode multi_done(struct Curl_easy *data,
  detach_connnection(data);
  if(CONN_INUSE(conn)) {
    /* Stop if still used. */
+    /* conn->data must not remain pointing to this transfer since it is going
+       away! Find another to own it! */
+    conn->data = conn->easyq.head->ptr;
    CONN_UNLOCK(data);
    DEBUGF(infof(data, "Connection still in use %zu, "
                 "no more multi_done now!\n",
--- a/lib/url.c
+++ b/lib/url.c
@ -1213,6 +1213,8 @@ ConnectionExists(struct Curl_easy *data,
        }
      }

+      DEBUGASSERT(!check->data || GOOD_EASY_HANDLE(check->data));
+
      if(!canmultiplex && check->data)
        /* this request can't be multiplexed but the checked connection is
           already in use so we skip it */