multi.c: Avoid invalid memory read after free() from commit 3c8c873252

As the current element in the list is free()d by Curl_llist_remove(),
when the associated connection is pending, reworked the loop to avoid
accessing the next element through e->next afterward.

diff --git a/lib/multi.c b/lib/multi.c
index cd99612ca15ab8f5e51ed6ffac25fca6dbf751e8..a1dc2c82c97d67594fd55bbab5bd488db4715e42 100644 (file)
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -2779,17 +2779,23 @@ struct curl_llist *Curl_multi_pipelining_server_bl(struct Curl_multi *multi)
 
 void Curl_multi_process_pending_handles(struct Curl_multi *multi)
 {
-  struct curl_llist_element *e;
+  struct curl_llist_element *e = multi->pending->head;
 
-  for(e = multi->pending->head; e; e = e->next) {
+  while(e) {
     struct SessionHandle *data = e->ptr;
+    struct curl_llist_element *next = e->next;
+
     if(data->mstate == CURLM_STATE_CONNECT_PEND) {
       multistate(data, CURLM_STATE_CONNECT);
+
       /* Remove this node from the list */
       Curl_llist_remove(multi->pending, e, NULL);
+
       /* Make sure that the handle will be processed soonish. */
       Curl_expire_latest(data, 1);
     }
+
+    e = next; /* operate on next handle */
   }
 }