multi.c: Avoid invalid memory read after free() from commit 3c8c873252

As the current element in the list is free()d by Curl_llist_remove(),
when the associated connection is pending, reworked the loop to avoid
accessing the next element through e->next afterward.
This commit is contained in:
Steve Holme
2014-09-07 07:09:14 +01:00
parent c25cd9094b
commit 4a6fa4c204

View File

@@ -2779,17 +2779,23 @@ struct curl_llist *Curl_multi_pipelining_server_bl(struct Curl_multi *multi)
void Curl_multi_process_pending_handles(struct Curl_multi *multi) void Curl_multi_process_pending_handles(struct Curl_multi *multi)
{ {
struct curl_llist_element *e; struct curl_llist_element *e = multi->pending->head;
for(e = multi->pending->head; e; e = e->next) { while(e) {
struct SessionHandle *data = e->ptr; struct SessionHandle *data = e->ptr;
struct curl_llist_element *next = e->next;
if(data->mstate == CURLM_STATE_CONNECT_PEND) { if(data->mstate == CURLM_STATE_CONNECT_PEND) {
multistate(data, CURLM_STATE_CONNECT); multistate(data, CURLM_STATE_CONNECT);
/* Remove this node from the list */ /* Remove this node from the list */
Curl_llist_remove(multi->pending, e, NULL); Curl_llist_remove(multi->pending, e, NULL);
/* Make sure that the handle will be processed soonish. */ /* Make sure that the handle will be processed soonish. */
Curl_expire_latest(data, 1); Curl_expire_latest(data, 1);
} }
e = next; /* operate on next handle */
} }
} }