From 3267ac40dad43cc4959f8c35a2a465264b6b3c03 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 28 Jan 2022 08:17:15 +0100 Subject: [PATCH] nss: handshake callback during shutdown has no conn->bundle The callback gets called because of the call to PR_Recv() done to attempt to avoid RST on the TCP connection. The conn->bundle pointer is already cleared at this point so avoid dereferencing it. Reported-by: Eric Musser Fixes #8341 Closes #8342 --- lib/vtls/nss.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 9e301437b6..c3f40f2b96 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -882,8 +882,14 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) !memcmp(ALPN_HTTP_1_1, buf, ALPN_HTTP_1_1_LENGTH)) { conn->negnpn = CURL_HTTP_VERSION_1_1; } - Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? - BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); + + /* This callback might get called when PR_Recv() is used within + * close_one() during a connection shutdown. At that point there might not + * be any "bundle" associated with the connection anymore. + */ + if(conn->bundle) + Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? + BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } }