From db3449602344009f13c64ed5744718098343c003 Mon Sep 17 00:00:00 2001
From: Seonah Moon <seonah1.moon@samsung.com>
Date: Fri, 25 Sep 2020 17:06:27 +0900
Subject: [PATCH] multi_done: if multiplexed, make conn->data point to another
 transfer

... since the current transfer is being killed. Setting to NULL is
wrong, leaving it pointing to 'data' is wrong since that handle might be
about to get freed.

Fixes #4845
Closes #4858
Reported-by: dmitrmax on github

https://github.com/curl/curl/issues/4845

Change-Id: I597f1538c7ff646a13d24ab547437fd2dc037f00
---
 lib/multi.c | 3 +++
 lib/url.c   | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/lib/multi.c b/lib/multi.c
index 6d819b4..3a393a1 100644
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -590,6 +590,9 @@ static CURLcode multi_done(struct Curl_easy *data,
   detach_connnection(data);
   if(CONN_INUSE(conn)) {
     /* Stop if still used. */
+    /* conn->data must not remain pointing to this transfer since it is going
+       away! Find another to own it! */
+    conn->data = conn->easyq.head->ptr;
     CONN_UNLOCK(data);
     DEBUGF(infof(data, "Connection still in use %zu, "
                  "no more multi_done now!\n",
diff --git a/lib/url.c b/lib/url.c
index a228a14..ff90739 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1192,6 +1192,8 @@ ConnectionExists(struct Curl_easy *data,
         }
       }
 
+      DEBUGASSERT(!check->data || GOOD_EASY_HANDLE(check->data));
+
       if(!canmultiplex && check->data)
         /* this request can't be multiplexed but the checked connection is
            already in use so we skip it */
-- 
2.7.4