Skip to content

Commit

Permalink
multi.c: Avoid invalid memory read after free() from commit 3c8c873
Browse files Browse the repository at this point in the history 
As the current element in the list is free()d by Curl_llist_remove(),
when the associated connection is pending, reworked the loop to avoid
accessing the next element through e->next afterward.
  • Loading branch information
@captain-caveman2k
captain-caveman2k committed Sep 7, 2014
1 parent c25cd90 commit 4a6fa4c
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions lib/multi.c
View file
Expand Up @@ -2779,17 +2779,23 @@ struct curl_llist *Curl_multi_pipelining_server_bl(struct Curl_multi *multi)

void Curl_multi_process_pending_handles(struct Curl_multi *multi)
{
struct curl_llist_element *e;
struct curl_llist_element *e = multi->pending->head;

for(e = multi->pending->head; e; e = e->next) {
while(e) {
struct SessionHandle *data = e->ptr;
struct curl_llist_element *next = e->next;

if(data->mstate == CURLM_STATE_CONNECT_PEND) {
multistate(data, CURLM_STATE_CONNECT);

/* Remove this node from the list */
Curl_llist_remove(multi->pending, e, NULL);

/* Make sure that the handle will be processed soonish. */
Curl_expire_latest(data, 1);
}

e = next; /* operate on next handle */
}
}

Expand Down

0 comments on commit 4a6fa4c

Please sign in to comment.