Curl_reconnect_request: clear pointer on failure

The Curl_reconnect_request() function could end up returning a pointer
to a free()d struct when Curl_done() failed inside. Clearing the pointer
unconditionally after Curl_done() avoids this risk.

Reported by: Ho-chi Chen
Bug: http://curl.haxx.se/mail/lib-2012-09/0188.html

diff --git a/lib/transfer.c b/lib/transfer.c
index 73456ec3e71114e8b7fc58b5bb3acb1f1156c71b..2ad5fad46f68d0df1e275470fd5bd1f7f986f8b2 100644 (file)
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -1985,7 +1985,9 @@ Curl_reconnect_request(struct connectdata **connp)
   conn->bits.close = TRUE; /* enforce close of this connection */
   result = Curl_done(&conn, result, FALSE); /* we are so done with this */
 
-  /* conn may no longer be a good pointer */
+  /* conn may no longer be a good pointer, clear it to avoid mistakes by
+     parent functions */
+  *connp = NULL;
 
   /*
    * According to bug report #1330310. We need to check for CURLE_SEND_ERROR