From 699a2df3505898393733a67bf3e9243637b87400 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 8 Oct 2024 08:00:55 +0200
Subject: [PATCH] conncache: find bundle again in case it is removed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When the pool is cleaned up due to host limits, the bundle may be
cleaned up as well making the old pointer invalid.

Fixes #15185
Reported-by: Moritz Knüsel
Closes #15186
---
 lib/conncache.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/conncache.c b/lib/conncache.c
index 631c9f18bf..485f6f1273 100644
--- a/lib/conncache.c
+++ b/lib/conncache.c
@@ -329,6 +329,9 @@ int Curl_cpool_check_limits(struct Curl_easy *data,
                    "limit of %zu", oldest_idle->connection_id,
                    Curl_llist_count(&bundle->conns), dest_limit));
       Curl_cpool_disconnect(data, oldest_idle, FALSE);
+
+      /* in case the bundle was destroyed in disconnect, look it up again */
+      bundle = cpool_find_bundle(cpool, conn);
     }
     if(bundle && (Curl_llist_count(&bundle->conns) >= dest_limit)) {
       result = CPOOL_LIMIT_DEST;