From: luminixinc on github <luminixinc@users.noreply.github.com>
Date: Thu, 27 Jan 2022 21:52:26 +0000 (-1000)
Subject: multi: remember connection_id before returning connection to pool
X-Git-Tag: curl-7_82_0~157
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3c798b1db35890801877f08812c30fdbf7ededdd;p=thirdparty%2Fcurl.git

multi: remember connection_id before returning connection to pool

Fix a bug that does not require a new CVE as discussed on hackerone.com.
Previously `connection_id` was accessed after returning connection to
the shared pool.

Bug: https://hackerone.com/reports/1463013
Closes #8355
---

diff --git a/lib/multi.c b/lib/multi.c
index 66e269cb92..55882997ce 100644
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -703,14 +703,15 @@ static CURLcode multi_done(struct Curl_easy *data,
       conn->bits.conn_to_host ? conn->conn_to_host.dispname :
       conn->host.dispname;
     /* create string before returning the connection */
+    long connection_id = conn->connection_id;
     msnprintf(buffer, sizeof(buffer),
               "Connection #%ld to host %s left intact",
-              conn->connection_id, host);
+              connection_id, host);
     /* the connection is no longer in use by this transfer */
     CONNCACHE_UNLOCK(data);
     if(Curl_conncache_return_conn(data, conn)) {
       /* remember the most recently used connection */
-      data->state.lastconnect_id = conn->connection_id;
+      data->state.lastconnect_id = connection_id;
       infof(data, "%s", buffer);
     }
     else