diff options
author | Daniel Stenberg <daniel@haxx.se> | 2020-08-16 11:34:35 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2020-08-17 14:33:09 +0200 |
commit | 3c9e021f86872baae412a427e807fbfa2f3e8a22 (patch) | |
tree | 13f8dcd7655ead28abee32bbca8b8783335f4d2b /lib/multi.c | |
parent | 687908c6e6332b2bf4ba74b271e795f9c65a5a61 (diff) | |
download | curl-3c9e021f86872baae412a427e807fbfa2f3e8a22.tar.gz |
Curl_easy: remember last connection by id, not by pointer
CVE-2020-8231
Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
Reported-by: Marc Aldorasi
Closes #5824
Diffstat (limited to 'lib/multi.c')
-rw-r--r-- | lib/multi.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/lib/multi.c b/lib/multi.c index b3a75e137..3c7fb85ed 100644 --- a/lib/multi.c +++ b/lib/multi.c @@ -455,6 +455,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi, data->state.conn_cache = &data->share->conn_cache; else data->state.conn_cache = &multi->conn_cache; + data->state.lastconnect_id = -1; #ifdef USE_LIBPSL /* Do the same for PSL. */ @@ -677,11 +678,11 @@ static CURLcode multi_done(struct Curl_easy *data, CONNCACHE_UNLOCK(data); if(Curl_conncache_return_conn(data, conn)) { /* remember the most recently used connection */ - data->state.lastconnect = conn; + data->state.lastconnect_id = conn->connection_id; infof(data, "%s\n", buffer); } else - data->state.lastconnect = NULL; + data->state.lastconnect_id = -1; } Curl_safefree(data->state.buffer); @@ -693,7 +694,7 @@ static int close_connect_only(struct connectdata *conn, void *param) { struct Curl_easy *data = param; - if(data->state.lastconnect != conn) + if(data->state.lastconnect_id != conn->connection_id) return 0; if(conn->data != data) @@ -805,7 +806,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, /* Remove the association between the connection and the handle */ Curl_detach_connnection(data); - if(data->state.lastconnect) { + if(data->state.lastconnect_id != -1) { /* Mark any connect-only connection for closure */ Curl_conncache_foreach(data, data->state.conn_cache, data, &close_connect_only); |