NULL deref when netrc is enabled

[z2-2z]

A NULL deref exists in lib/url.c that can be triggered when netrc is enabled and a specially crafted netrc-file is given to libcurl.
The bug is in line 2830:

NETRCcode ret = Curl_parsenetrc(&data->state.netrc, conn->host.name,
                                      userp, passwdp,
                                      data->set.str[STRING_NETRC_FILE]);

// ...

if(str_has_ctrl(*userp) || str_has_ctrl(*passwdp)) {

  // ...

}

There is a path through Curl_parsenetrc that returns NETRC_OK but leaves *userp as NULL and only sets *passwdp, which then later triggers a NULL-deref in str_has_ctrl(*userp).

To reproduce this, use this netrc file and the following client:

#include "curl/curl.h"

int main (int argc, char** argv) {
    CURL* curl = curl_easy_init();
    curl_easy_setopt(curl, CURLOPT_URL, "ftp://127.0.0.1/");
    curl_easy_setopt(curl, CURLOPT_NETRC, CURL_NETRC_REQUIRED);
    curl_easy_setopt(curl, CURLOPT_NETRC_FILE, "<attached-file>");
    curl_easy_perform(curl);
    curl_easy_cleanup(curl);
}

[bagder]

Thanks!