nss: handshake callback during shutdown has no conn->bundle

The callback gets called because of the call to PR_Recv() done to
attempt to avoid RST on the TCP connection. The conn->bundle pointer is
already cleared at this point so avoid dereferencing it.

Reported-by: Eric Musser
Fixes #8341
Closes #8342

diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 9e301437b6f6ce3b18fdbb31b644faa988e583ef..c3f40f2b96e2d4c85e9f9378f7c3a94dd2eaaa32 100644 (file)
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -882,8 +882,14 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg)
        !memcmp(ALPN_HTTP_1_1, buf, ALPN_HTTP_1_1_LENGTH)) {
       conn->negnpn = CURL_HTTP_VERSION_1_1;
     }
-    Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ?
-                        BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
+
+    /* This callback might get called when PR_Recv() is used within
+     * close_one() during a connection shutdown. At that point there might not
+     * be any "bundle" associated with the connection anymore.
+     */
+    if(conn->bundle)
+      Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ?
+                          BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
   }
 }