From aa979e441d2a12cd324c535ddd93ea1a46abd1df Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 27 Jan 2020 22:50:33 +0100
Subject: multi_done: if multiplexed, make conn->data point to another transfer

... since the current transfer is being killed. Setting to NULL is
wrong, leaving it pointing to 'data' is wrong since that handle might be
about to get freed.

Fixes #4845
Reported-by: dmitrmax on github
---
 lib/multi.c | 3 +++
 lib/url.c   | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/lib/multi.c b/lib/multi.c
index 1b79d42a4..2b8f2d877 100644
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -591,6 +591,9 @@ static CURLcode multi_done(struct Curl_easy *data,
   detach_connnection(data);
   if(CONN_INUSE(conn)) {
     /* Stop if still used. */
+    /* conn->data must not remain pointing to this transfer since it is going
+       away! Find another to own it! */
+    conn->data = conn->easyq.head->ptr;
     CONN_UNLOCK(data);
     DEBUGF(infof(data, "Connection still in use %zu, "
                  "no more multi_done now!\n",
diff --git a/lib/url.c b/lib/url.c
index 689668e04..837e62a09 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1213,6 +1213,8 @@ ConnectionExists(struct Curl_easy *data,
         }
       }
 
+      DEBUGASSERT(!check->data || GOOD_EASY_HANDLE(check->data));
+
       if(!canmultiplex && check->data)
         /* this request can't be multiplexed but the checked connection is
            already in use so we skip it */
-- 
cgit v1.2.1