multi_done: if multiplexed, make conn->data point to another transfer

... since the current transfer is being killed. Setting to NULL is
wrong, leaving it pointing to 'data' is wrong since that handle might be
about to get freed.

Fixes #4845
Closes #4858
Reported-by: dmitrmax on github

diff --git a/lib/multi.c b/lib/multi.c
index b641074d434552f9e73e62d06bc53a1821b3fe39..6c9d06b0b59e328f95ea11624c198e4495351b87 100644 (file)
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -592,6 +592,9 @@ static CURLcode multi_done(struct Curl_easy *data,
   detach_connnection(data);
   if(CONN_INUSE(conn)) {
     /* Stop if still used. */
+    /* conn->data must not remain pointing to this transfer since it is going
+       away! Find another to own it! */
+    conn->data = conn->easyq.head->ptr;
     CONN_UNLOCK(data);
     DEBUGF(infof(data, "Connection still in use %zu, "
                  "no more multi_done now!\n",

diff --git a/lib/url.c b/lib/url.c
index 689668e049484620169b294ae58eb94287cfe27c..837e62a09639d3aef6598ab491e701a279f55c68 100644 (file)
--- a/lib/url.c
+++ b/lib/url.c
@@ -1213,6 +1213,8 @@ ConnectionExists(struct Curl_easy *data,
         }
       }
 
+      DEBUGASSERT(!check->data || GOOD_EASY_HANDLE(check->data));
+
       if(!canmultiplex && check->data)
         /* this request can't be multiplexed but the checked connection is
            already in use so we skip it */