From 628c4e7af1a28ea2d8463a29d59a58d30eb1f710 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 28 Sep 2012 13:56:03 +0200
Subject: [PATCH] Curl_reconnect_request: clear pointer on failure

The Curl_reconnect_request() function could end up returning a pointer
to a free()d struct when Curl_done() failed inside. Clearing the pointer
unconditionally after Curl_done() avoids this risk.

Reported by: Ho-chi Chen
Bug: http://curl.haxx.se/mail/lib-2012-09/0188.html
---
 lib/transfer.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/transfer.c b/lib/transfer.c
index 73456ec3e..2ad5fad46 100644
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -1985,7 +1985,9 @@ Curl_reconnect_request(struct connectdata **connp)
   conn->bits.close = TRUE; /* enforce close of this connection */
   result = Curl_done(&conn, result, FALSE); /* we are so done with this */
 
-  /* conn may no longer be a good pointer */
+  /* conn may no longer be a good pointer, clear it to avoid mistakes by
+     parent functions */
+  *connp = NULL;
 
   /*
    * According to bug report #1330310. We need to check for CURLE_SEND_ERROR