From: Daniel Stenberg Date: Mon, 14 Jan 2019 23:06:26 +0000 (+0100) Subject: extract_if_dead: follow-up to 54b201b48c90a X-Git-Tag: curl-7_64_0~39 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bbae24c3ae3bce7518f0fbd2d260359ee6a36510;p=curl extract_if_dead: follow-up to 54b201b48c90a extract_if_dead() dead is called from two functions, and only one of them should get conn->data updated and now neither call path clears it. scan-build found a case where conn->data would be NULL dereferenced in ConnectionExists() otherwise. Closes #3473 --- diff --git a/lib/url.c b/lib/url.c index 273c11de5..bb53f2740 100644 --- a/lib/url.c +++ b/lib/url.c @@ -965,9 +965,7 @@ static bool extract_if_dead(struct connectdata *conn, /* The protocol has a special method for checking the state of the connection. Use it to check if the connection is dead. */ unsigned int state; - conn->data = data; /* temporary transfer for this connection to use */ state = conn->handler->connection_check(conn, CONNCHECK_ISDEAD); - conn->data = NULL; /* clear transfer again */ dead = (state & CONNRESULT_DEAD); } else { @@ -996,6 +994,7 @@ struct prunedead { static int call_extract_if_dead(struct connectdata *conn, void *param) { struct prunedead *p = (struct prunedead *)param; + conn->data = p->data; /* transfer to use for this check */ if(extract_if_dead(conn, p->data)) { /* stop the iteration here, pass back the connection that was extracted */ p->extracted = conn;