From d430a989761e293e0fb042dcfe575cabdd95805a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Tue, 19 Jan 2021 16:10:08 +0200
Subject: [PATCH] libfetch: fix use-after-free in connection cache management

fixes #10734
---
 libfetch/common.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libfetch/common.c b/libfetch/common.c
index eb54df5..aabe218 100644
--- a/libfetch/common.c
+++ b/libfetch/common.c
@@ -381,7 +381,7 @@ fetch_cache_get(const struct url *url, int af)
 void
 fetch_cache_put(conn_t *conn, int (*closecb)(conn_t *))
 {
-	conn_t *iter, *last;
+	conn_t *iter, *last, *next_cached;
 	int global_count, host_count;
 
 	if (conn->cache_url == NULL || cache_global_limit == 0) {
@@ -391,8 +391,8 @@ fetch_cache_put(conn_t *conn, int (*closecb)(conn_t *))
 
 	global_count = host_count = 0;
 	last = NULL;
-	for (iter = connection_cache; iter;
-	    last = iter, iter = iter->next_cached) {
+	for (iter = connection_cache; iter; last = iter, iter = next_cached) {
+		next_cached = iter->next_cached;
 		++global_count;
 		if (strcmp(conn->cache_url->host, iter->cache_url->host) == 0)
 			++host_count;