From 4a6fa4c2047d315536d0d10c776398aed13f2165 Mon Sep 17 00:00:00 2001
From: Steve Holme <steve_holme@hotmail.com>
Date: Sun, 7 Sep 2014 07:09:14 +0100
Subject: [PATCH] multi.c: Avoid invalid memory read after free() from commit
 3c8c873252

As the current element in the list is free()d by Curl_llist_remove(),
when the associated connection is pending, reworked the loop to avoid
accessing the next element through e->next afterward.
---
 lib/multi.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/multi.c b/lib/multi.c
index cd99612ca..a1dc2c82c 100644
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -2779,17 +2779,23 @@ struct curl_llist *Curl_multi_pipelining_server_bl(struct Curl_multi *multi)
 
 void Curl_multi_process_pending_handles(struct Curl_multi *multi)
 {
-  struct curl_llist_element *e;
+  struct curl_llist_element *e = multi->pending->head;
 
-  for(e = multi->pending->head; e; e = e->next) {
+  while(e) {
     struct SessionHandle *data = e->ptr;
+    struct curl_llist_element *next = e->next;
+
     if(data->mstate == CURLM_STATE_CONNECT_PEND) {
       multistate(data, CURLM_STATE_CONNECT);
+
       /* Remove this node from the list */
       Curl_llist_remove(multi->pending, e, NULL);
+
       /* Make sure that the handle will be processed soonish. */
       Curl_expire_latest(data, 1);
     }
+
+    e = next; /* operate on next handle */
   }
 }