From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 28 Jan 2022 07:17:15 +0000 (+0100)
Subject: nss: handshake callback during shutdown has no conn->bundle
X-Git-Tag: curl-7_82_0~167
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3267ac40dad43cc4959f8c35a2a465264b6b3c03;p=thirdparty%2Fcurl.git

nss: handshake callback during shutdown has no conn->bundle

The callback gets called because of the call to PR_Recv() done to
attempt to avoid RST on the TCP connection. The conn->bundle pointer is
already cleared at this point so avoid dereferencing it.

Reported-by: Eric Musser
Fixes #8341
Closes #8342
---

diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 9e301437b6..c3f40f2b96 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -882,8 +882,14 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg)
        !memcmp(ALPN_HTTP_1_1, buf, ALPN_HTTP_1_1_LENGTH)) {
       conn->negnpn = CURL_HTTP_VERSION_1_1;
     }
-    Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ?
-                        BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
+
+    /* This callback might get called when PR_Recv() is used within
+     * close_one() during a connection shutdown. At that point there might not
+     * be any "bundle" associated with the connection anymore.
+     */
+    if(conn->bundle)
+      Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ?
+                          BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
   }
 }