From 719ff51acdef114d8fd7eed04014ba5854ccf41f Mon Sep 17 00:00:00 2001
From: Timo Teräs <timo.teras@iki.fi>
Date: Tue, 19 Jan 2021 16:10:08 +0200
Subject: libfetch: fix use-after-free in connection cache management

fixes #10734

(cherry picked from commit c37b385beefd0e8324bf70f011e52a8c65f7fddf)
---
 libfetch/common.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libfetch/common.c b/libfetch/common.c
index 537715b..5449f66 100644
--- a/libfetch/common.c
+++ b/libfetch/common.c
@@ -380,7 +380,7 @@ fetch_cache_get(const struct url *url, int af)
 void
 fetch_cache_put(conn_t *conn, int (*closecb)(conn_t *))
 {
-	conn_t *iter, *last;
+	conn_t *iter, *last, *next_cached;
 	int global_count, host_count;
 
 	if (conn->cache_url == NULL || cache_global_limit == 0) {
@@ -390,8 +390,8 @@ fetch_cache_put(conn_t *conn, int (*closecb)(conn_t *))
 
 	global_count = host_count = 0;
 	last = NULL;
-	for (iter = connection_cache; iter;
-	    last = iter, iter = iter->next_cached) {
+	for (iter = connection_cache; iter; last = iter, iter = next_cached) {
+		next_cached = iter->next_cached;
 		++global_count;
 		if (strcmp(conn->cache_url->host, iter->cache_url->host) == 0)
 			++host_count;
-- 
cgit v1.2.3-70-g09d2